CVE-2026-15170 in Wireshark
Summary
by MITRE • 07/09/2026
Z39.50 protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability involves a critical heap-based buffer overflow in the Z39.50 protocol dissector within Wireshark versions ranging from 4.4.0 through 4.4.16 and 4.6.0 through 4.6.6. This flaw resides in the application layer protocol decoding mechanism that processes network traffic for the Z39.50 standard, which is commonly used for information retrieval systems particularly in library and academic environments. The issue manifests when Wireshark attempts to parse malformed or maliciously crafted Z39.50 packets during network packet analysis operations. The technical implementation contains improper bounds checking within the dissector function responsible for interpreting Z39.50 protocol fields, specifically affecting how the software handles variable-length data structures and string parsing operations. This vulnerability directly maps to CWE-121 Stack-based Buffer Overflow and CWE-787 Out-of-bounds Write according to the Common Weakness Enumeration catalog, where insufficient validation allows attackers to overwrite adjacent memory locations through crafted packet payloads.
The operational impact of this vulnerability presents a significant denial of service threat that can be exploited by remote attackers without authentication requirements. When a victim analyst opens a specially crafted pcap file containing malicious Z39.50 traffic or captures such packets during network monitoring, Wireshark will crash and terminate unexpectedly. This disruption affects legitimate network analysis activities and can potentially impact critical infrastructure monitoring systems where Wireshark serves as the primary packet inspection tool. The vulnerability is particularly concerning in enterprise environments where network security analysts rely on Wireshark for incident response and threat hunting operations. Attackers could leverage this flaw to disrupt forensic investigations by causing the analysis tool to crash when examining suspicious network traffic, effectively preventing security teams from conducting proper protocol analysis.
Mitigation strategies include immediate upgrade to Wireshark versions 4.4.17 or 4.6.7 which contain patches addressing the buffer overflow conditions in the Z39.50 dissector. Network administrators should also implement defensive measures such as network segmentation and monitoring for unusual packet patterns that might indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1498 Network Denial of Service, where adversaries can leverage application-level flaws to disrupt network analysis capabilities. Organizations should also consider implementing sandboxed environments for pcap file analysis to prevent direct exposure of primary analysis systems to potentially malicious traffic. Additionally, regular security assessments and penetration testing should include verification of protocol dissector integrity to identify similar vulnerabilities in other network analysis tools. The patching process requires careful consideration of backward compatibility and testing procedures to ensure that legitimate Z39.50 traffic continues to be properly analyzed after remediation while preventing the exploitation vectors associated with malformed packets.