CVE-2016-4078 — Improper Input Validation in Wireshark

CWE-20 — Improper Input Validation7 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

0.4%

top 42.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wireshark Debian Wireshark

Timeline

PublishedApr 25

Latest updateMay 17

Description

The IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not properly restrict element lists, which allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted packet, related to epan/dissectors/packet-capwap.c and epan/dissectors/packet-ieee80211.c.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/wireshark< wireshark 2.0.3+geed34f0-1 (bookworm)

▶Debianwireshark/wireshark< 2.0.3+geed34f0-1+3

▶NVDwireshark/wireshark14 versions+13

🔴Vulnerability Details

GHSA

GHSA-q5q9-8q79-9xp9: The IEEE 802↗2022-05-17

▶

OSV

CVE-2016-4078: The IEEE 802↗2016-04-25

▶

📋Vendor Advisories

Red Hat

wireshark: IEEE 802.11 dissector crash (wnpa-sec-2016-21)↗2016-04-22

▶

Debian

CVE-2016-4078: wireshark - The IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2....↗2016

▶

💬Community

Bugzilla

CVE-2016-4078 wireshark: IEEE 802.11 dissector crash (wnpa-sec-2016-21)↗2016-04-25

▶

Bugzilla

CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE-2016-4082 CVE-2016-4085 wireshark: various flaws [fedora-all]↗2016-04-25

▶