VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 27, 2026

CVE-2026-9759

CVE-2026-9759

Description

ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 allows denial of service

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL-pointer write in Wireshark's ROHC dissector (4.6.0–4.6.5, 4.4.0–4.4.15) crashes the application via crafted packets.

Vulnerability

The ROHC (Robust Header Compression) protocol dissector in Wireshark versions 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 contains a NULL-pointer write flaw. When processing a packet that uses the uncompressed profile (profile=0) with large_cid_present=true and the packet ends exactly at the CID field (len == val_len), wmem_alloc(pool, 0) returns NULL. A subsequent tvb_memcpy then writes one byte to address NULL, causing a crash [1]. The second tvb_memcpy uses len-1 cast to SIZE_MAX, which throws an exception, so only a single byte is written to NULL [1].

Exploitation

An attacker must first send a multi-packet sequence to establish the ROHC context with profile=0 and large CID enabled, typically via GTP-U or PPP transport [1]. After the context is set, the attacker sends a malformed packet whose ROHC payload ends exactly at the CID field length, triggering the vulnerable code path. The attack can be delivered by injecting a packet onto the wire or by convincing a user to open a malicious packet capture file [2]. No authentication or special privileges are required beyond network access or file delivery.

Impact

Successful exploitation causes a crash of the Wireshark application (denial of service). The write to NULL address corrupts memory and typically results in a segmentation fault. The attack does not appear to allow code execution or arbitrary memory write beyond the one-byte NULL write, and no exploits beyond crashing have been reported [2].

Mitigation

The vulnerability is fixed in Wireshark versions 4.6.6 and 4.4.16, released May 19, 2026 [2]. Users should upgrade to these or later versions. As a workaround, users can avoid opening untrusted packet captures and disable ROHC dissection via protocol preferences if not needed. No KEV listing or known public exploits exist as of publication [2].

References
  1. ROHC NULL Write / Heap Corruption with uncompressed profile and large CID (#21243) · Issues · Wireshark Foundation / Wireshark · GitLab
  2. Wireshark • Go Deep | Wireshark • wnpa-sec-2026-51 ROHC protocol dissector crash

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Wireshark/Wiresharkreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 4.4.0 to 4.4.15, 4.6.0 to 4.6.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing length check in the ROHC dissector when handling the uncompressed profile with large CID, causing `wmem_alloc(pool, 0)` to return NULL and a subsequent one-byte write to that NULL pointer."

Attack vector

An attacker must first establish a ROHC context with profile=0 (uncompressed) and large_cid=true, typically via multi-packet sequences over GTP-U or PPP transport [ref_id=1]. Once the context is configured, a specially crafted packet whose payload ends exactly at the CID field (len == val_len) triggers the bug. The attacker does not need any prior authentication, but must induce a user or automated system to process the malicious capture (local attack vector, user interaction required per CVSS).

Affected code

The ROHC (Robust Header Compression) dissector in Wireshark, specifically the code path handling the uncompressed profile (profile=0) with large_cid_present=true, is at fault. When the packet ends exactly at the CID field (len == val_len), `wmem_alloc(pool, 0)` returns NULL, and `tvb_memcpy` subsequently writes one byte to that NULL pointer.

What the fix does

The issue report [ref_id=1] describes the expected correct behavior: the dissector should create a tvbuffer of length 1 and write one byte to it, rather than allocating a zero-length buffer that returns NULL. No patch diff is included in the bundle, but the remediation guidance is to ensure that when len == val_len, a buffer of at least length 1 is allocated before the tvb_memcpy write.

Preconditions

  • networkA multi-packet sequence must first establish a ROHC context with profile=0 (uncompressed) and large_cid=true, typically via GTP-U or PPP transport.
  • inputThe attacker must deliver a malicious packet capture to a user or automated system that processes it with Wireshark.
  • authNo authentication is required.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.