CVE-2026-15165 in Wiresharkinfo

Summary

by MITRE • 07/09/2026

TLS ECH decryptor crash in Wireshark 4.6.0 to 4.6.6 allows denial of service

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability involves a critical denial of service flaw in Wireshark versions 4.6.0 through 4.6.6 that occurs during the decryption process of TLS Encrypted Client Hello (ECH) messages. This issue stems from improper handling of malformed ECH data structures within the TLS protocol implementation, specifically when Wireshark attempts to parse and decrypt these encrypted client hello messages that are part of the TLS 1.3 handshake process. The flaw manifests as a crash in the packet analysis engine when encountering specially crafted malicious ECH payloads that trigger memory access violations or buffer overflows during the decryption routine.

The technical implementation of this vulnerability falls under CWE-121, heap-based buffer overflow, and CWE-248, uncaught exception, as the application fails to properly validate input data before processing it through the decryption algorithms. When Wireshark encounters malformed ECH data structures, the parsing function attempts to access memory locations beyond the allocated buffer boundaries or processes invalid data pointers, causing the application to terminate unexpectedly. This behavior represents a classic denial of service condition where legitimate network traffic analysis capabilities are disrupted by maliciously crafted packets.

From an operational perspective, this vulnerability severely impacts network forensic analysis and security monitoring operations that rely on Wireshark for TLS traffic inspection. Network administrators, security analysts, and incident responders who use these affected versions may experience complete application crashes when processing network captures containing malicious ECH data, potentially leading to loss of critical forensic evidence or interruption of ongoing security investigations. The impact extends beyond simple service disruption as it compromises the integrity of network analysis workflows where Wireshark serves as a fundamental tool for protocol debugging and threat hunting activities.

The vulnerability aligns with ATT&CK technique T1498, Network Denial of Service, and T1566, Phishing, as it can be exploited through malicious network traffic that appears legitimate but contains crafted ECH elements designed to trigger the crash. Attackers could potentially use this flaw to disrupt network monitoring operations by sending specially constructed TLS traffic to systems running vulnerable Wireshark versions, particularly in environments where analysts routinely analyze network captures from multiple sources without proper input sanitization.

Mitigation strategies include immediate upgrade to Wireshark version 4.6.7 or later, which contains the necessary patches to properly validate ECH data structures before attempting decryption operations. Organizations should also implement network segmentation and monitoring to detect unusual traffic patterns that might indicate exploitation attempts, while maintaining regular patch management procedures to ensure all network analysis tools remain up-to-date with security fixes. Additionally, analysts should consider implementing input validation checks when processing network captures from untrusted sources and maintain backup systems for critical forensic analysis operations to minimize operational impact during remediation activities.

Responsible

GitLab

Reservation

07/08/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00144

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!