CVE-2020-26421 — Out-of-bounds Read in Wireshark

CWE-125 — Out-of-bounds Read CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer6 documents6 sources

Severity

5.3MEDIUMNVD

CNA4.2

EPSS

0.1%

top 72.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wireshark THE Wireshark Foundation Wireshark Debian Linux +2 more

Timeline

PublishedDec 11

Latest updateMay 24

Description

Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Debianwireshark/wireshark< 3.4.1-1+3

▶NVDwireshark/wireshark3.2.0 — 3.2.8+1

▶CVEListV5the_wireshark_foundation/wireshark3.4.0, >= 3.2.0 to < 3.2.9+1

▶NVDoracle/zfs_storage_appliance_kit8.8

Also affects: Debian Linux 9.0, Fedora 32, 33

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-955v-hqm3-9444: Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3↗2022-05-24

▶

OSV

CVE-2020-26421: Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3↗2020-12-11

▶

CVEList

CVE-2020-26421: Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3↗2020-12-11

▶

📋Vendor Advisories

Red Hat

wireshark: USB HID dissector crash (wnpa-sec-2020-17)↗2020-12-09

▶

Debian

CVE-2020-26421: wireshark - Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3...↗2020

▶