CVE-2024-2955 in Wireshark
Summary
by MITRE • 03/26/2024
T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or crafted capture file
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/06/2025
The vulnerability identified as CVE-2024-2955 represents a critical denial of service flaw within Wireshark's T.38 dissector functionality. This issue affects multiple versions of the popular network protocol analyzer, specifically targeting releases from 4.2.0 through 4.0.3 and 4.0.0 through 4.0.13. The T.38 dissector is responsible for analyzing T.38 protocol packets, which are commonly used in fax communications over IP networks. When processing malformed or specially crafted T.38 packets, the dissector fails to properly handle certain data structures, leading to a complete application crash that renders the network analysis tool unusable.
The technical flaw manifests through improper input validation within the T.38 dissector component of Wireshark's protocol analysis engine. This vulnerability falls under the category of buffer overflows or memory corruption issues as classified by CWE-121, where the dissector fails to properly validate packet headers and payload data before attempting to parse them. The flaw occurs when the dissector encounters unexpected packet structures that cause it to access memory locations outside of its allocated buffers or attempt to process data in ways that violate the expected protocol format. This type of vulnerability is particularly dangerous because it can be exploited through two distinct attack vectors: direct packet injection into a network capture or by crafting malicious capture files that, when opened, trigger the crash condition.
The operational impact of this vulnerability extends beyond simple service disruption, as it can severely compromise network analysis capabilities for security professionals, network administrators, and forensic investigators who rely on Wireshark for critical network monitoring tasks. When exploited, the vulnerability allows attackers to perform denial of service attacks against systems running vulnerable versions of Wireshark, potentially preventing security teams from analyzing network traffic during incident response activities or routine network troubleshooting. The vulnerability's exploitability through both live packet injection and crafted capture files makes it particularly dangerous in environments where network traffic analysis tools are routinely used for security monitoring, as adversaries could potentially disrupt critical network operations without requiring physical access to the target system.
Mitigation strategies for CVE-2024-2955 primarily focus on immediate version upgrades to patched releases of Wireshark, as recommended by the vendor's security advisories. Network security teams should prioritize updating their Wireshark installations to versions that contain the necessary patches addressing the T.38 dissector crash vulnerability. Additionally, implementing network segmentation and access controls to limit who can inject packets into monitored networks can help reduce the attack surface. Organizations should also consider implementing automated monitoring for unusual network behavior that might indicate exploitation attempts, as the crash would likely be detectable through network monitoring systems. From an ATT&CK framework perspective, this vulnerability maps to techniques involving denial of service and privilege escalation, as the successful exploitation can disrupt critical network analysis capabilities that security teams depend upon for maintaining network security posture.