CVE-2026-6519
Published: 30 April 2026
Summary
CVE-2026-6519 is a medium-severity Infinite Loop (CWE-835) vulnerability in Wireshark Wireshark. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating CVE-2026-6519 by patching the infinite loop in Wireshark's MBIM protocol dissector.
RA-5 mandates vulnerability scanning that would identify vulnerable Wireshark versions (4.6.0-4.6.4 and 4.4.0-4.4.14) affected by the DoS flaw.
SI-5 ensures receipt of security advisories like Wireshark's WNPA-SEC-2026-41, enabling proactive awareness and patching of CVE-2026-6519.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is triggered by a user opening a specially crafted packet capture file in Wireshark, directly mapping to T1204.002 Malicious File for user execution. It enables denial of service through an infinite loop in the application, mapping to T1499.004 Application or System Exploitation via malformed input processing.
NVD Description
MBIM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
Deeper analysisAI
CVE-2026-6519 is an infinite loop vulnerability (CWE-835) in the MBIM protocol dissector within Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. This flaw can trigger a denial of service condition when processing malformed packets. The vulnerability carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating medium severity with high availability impact but no confidentiality or integrity effects.
Exploitation requires local access to the target system and user interaction, such as opening a specially crafted packet capture file in Wireshark. An attacker with no privileges needed can convince a user to load the malicious file, causing Wireshark to enter an infinite loop and crash or become unresponsive, disrupting network analysis workflows.
Wireshark's security advisory WNPA-SEC-2026-41 and the associated GitLab work item (21184) provide details on the issue. Security practitioners should consult these references for patch information and upgrade to unaffected versions.
Details
- CWE(s)