SB2026071565 - Fedora 44 update for wireshark
Published: July 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 vulnerabilities.
1) Infinite loop (CVE-ID: CVE-2026-15163)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in the MIH, MPEG DSM-CC, eDonkey, and MEGACO protocol dissectors when parsing malformed packets or crafted packet trace files. A remote attacker can inject a malformed packet onto the wire or convince a victim to open a malformed packet trace file to cause a denial of service.
User interaction is required when exploitation uses a crafted packet trace file.
2) Input validation error (CVE-ID: CVE-2026-15164)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in ciscodump extcap when connecting to a hostile device. A remote attacker can present a hostile device to cause a denial of service.
User interaction is required to connect to the hostile device.
3) Input validation error (CVE-ID: CVE-2026-15165)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in TLS ECH decryption code when parsing a malformed packet trace file. A remote attacker can craft a malformed packet trace file to cause a denial of service.
User interaction is required to open the crafted packet trace file.
4) Input validation error (CVE-ID: CVE-2026-15166)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the IEEE 802.11 protocol dissector when parsing a malformed packet trace file. A remote attacker can trick the victim into opening a crafted packet trace file to cause a denial of service.
User interaction is required to open the crafted packet trace file.
5) Input validation error (CVE-ID: CVE-2026-15167)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the DBS Etherwatch file parser when parsing a malformed packet trace file. A remote attacker can trick the victim into opening a crafted packet trace file to cause a denial of service.
User interaction is required to open the crafted file.
6) Out-of-bounds read (CVE-ID: CVE-2026-15168)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the BLF file parser when parsing a malformed packet trace file. A remote attacker can trick the victim into opening a crafted file to disclose sensitive information.
User interaction is required to open a crafted packet trace file.
7) Input validation error (CVE-ID: CVE-2026-15169)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the UMTS FP protocol dissector when parsing malformed packet data. A remote attacker can inject a malformed packet onto the wire or trick a victim into opening a malformed packet trace file to cause a denial of service.
User interaction is required when exploitation is performed via a crafted packet trace file.
8) Input validation error (CVE-ID: CVE-2026-15170)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the Z39.50 protocol dissector when parsing malformed packets or packet trace files. A remote attacker can inject a malformed packet onto the wire or trick the victim into opening a malformed packet trace file to cause a denial of service.
User interaction is required when exploitation is performed via a crafted packet trace file.
9) Input validation error (CVE-ID: CVE-2026-15171)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the SSH protocol dissector when parsing a malformed packet trace file. A remote attacker can craft a malformed packet trace file to cause a denial of service.
User interaction is required to open the crafted packet trace file.
10) Input validation error (CVE-ID: CVE-2026-15172)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the FMP/NOTIFY protocol dissector when parsing malformed packets or packet trace files. A remote attacker can inject a malformed packet onto the wire or convince a victim to open a malformed packet trace file to cause a denial of service.
User interaction is required when exploitation is performed via a crafted packet trace file.
11) Input validation error (CVE-ID: CVE-2026-15173)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the pcapng file parser when parsing a malformed packet trace file. A remote attacker can trick the victim into opening a crafted packet trace file to cause a denial of service.
User interaction is required to open a crafted packet trace file.
12) Input validation error (CVE-ID: CVE-2026-15174)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the Catapult DCT2000 protocol dissector when parsing malformed packets or packet trace files. A remote attacker can inject a malformed packet onto the wire or trick the victim into opening a malformed packet trace file to cause a denial of service.
User interaction is required when exploitation uses a malformed packet trace file.
Remediation
Install update from vendor's website.