CVE-2018-18226 — Missing Release of Resource after Effective Lifetime in Wireshark

CWE-772 — Missing Release of Resource after Effective Lifetime CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.5%

top 18.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wireshark Debian Wireshark Debian Linux

Timeline

PublishedOct 12

Latest updateMay 13

Description

In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector could consume system memory. This was addressed in epan/dissectors/packet-steam-ihs-discovery.c by changing the memory-management approach.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/wireshark< wireshark 2.6.4-1 (bookworm)

▶Debianwireshark/wireshark< 2.6.4-1+3

▶NVDwireshark/wireshark2.6.0 — 2.6.3

Also affects: Debian Linux 9.0

Patches

Patch: bugs.wireshark.org ↗Patch: bugs.wireshark.org ↗

🔴Vulnerability Details

GHSA

GHSA-9fc9-pcc6-hcpv: In Wireshark 2↗2022-05-13

▶

OSV

CVE-2018-18226: In Wireshark 2↗2018-10-12

▶

📋Vendor Advisories

Red Hat

wireshark: Steam IHS Discovery dissector memory leak↗2018-10-10

▶

Debian

CVE-2018-18226: wireshark - In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector could consume sys...↗2018

▶

💬Community

Bugzilla

CVE-2018-18226 wireshark: Steam IHS Discovery dissector memory leak↗2018-10-25

▶

Bugzilla

CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 wireshark: various flaws [fedora-all]↗2018-10-25

▶