CVE-2026-6520
Published: 30 April 2026
Summary
CVE-2026-6520 is a medium-severity Infinite Loop (CWE-835) vulnerability in Wireshark Wireshark. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and patching of software flaws like the infinite loop in Wireshark's OpenFlow v6 dissector to prevent exploitation.
Requires vulnerability scanning to identify systems running vulnerable Wireshark versions affected by CVE-2026-6520.
Ensures monitoring and dissemination of security advisories such as Wireshark's WNPA-SEC-2026-40 for timely awareness of this DoS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is triggered by a user opening a malicious packet capture file containing crafted OpenFlow v6 traffic, directly mapping to T1204.002 for delivery via malicious file and T1499.004 for causing endpoint DoS through application exploitation (infinite loop leading to crash/hang).
NVD Description
OpenFlow v6 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
Deeper analysisAI
CVE-2026-6520 is an infinite loop vulnerability in the OpenFlow v6 protocol dissector within Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. Published on April 30, 2026, this flaw (CWE-835) enables a denial-of-service condition and carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating medium severity with high impact on availability but no confidentiality or integrity effects.
The vulnerability can be exploited by a local attacker with low complexity, requiring no privileges but user interaction, such as convincing a Wireshark user to open a malicious packet capture file containing crafted OpenFlow v6 traffic. Successful exploitation triggers an infinite loop in the dissector, causing Wireshark to consume excessive CPU resources, hang, or crash, resulting in a denial of service on the affected instance.
Mitigation details and patches are documented in Wireshark's security advisory WNPA-SEC-2026-40 at https://www.wireshark.org/security/wnpa-sec-2026-40.html and the related GitLab work item at https://gitlab.com/wireshark/wireshark/-/work_items/21181. Security practitioners should review these resources for updated versions and fix information.
Details
- CWE(s)