Back to Academy

VCA-MINI-WIRESHARK-CVES-2026-05: Wireshark / tshark RCE Quartet (May 2026)

Virtus Academy · Topical Lab Module

Four real CVEs disclosed against Wireshark and tshark in early May 2026, all patched in Wireshark 4.6.5 (and 4.4.15 where the 4.4.x branch was affected). The four bugs cover four distinct shapes: heap overflow driven by integer truncation, heap overflow driven by multi-frame accounting failure, classic missing-bounds-check heap overflow, and zip-slip path traversal driving code execution. The quartet is a pedagogically dense single-week module that sweeps a representative cross-section of the modern parser-bug landscape as a vocabulary, structural, and defensive-analysis module.

Belt level: 3/5 (mini-module)
Pace: single-week module; 4 sessions of 60-90 min
Prerequisites: packet-capture analysis foundation (e.g., vca-net-101 or equivalent); Wireshark UI familiarity. No exploit-development required.
Lab target: lab-owned vulnerable Wireshark 4.6.4 / 4.4.14 inside the academy fwlab container, or pre-recorded .pcapng files. Production analyst workstations are never the target.
Companion handout: cve-lab-wireshark-rce-quartet-2026-05.md
Mini-modules are evergreen-after-disclosure topical lab content. The handout is shipped and live; this catalog page distils it for discovery. Cohort-side delivery follows the handout's session pacing.

The four CVEs at a glance

CVEDissectorBug classCVSS 3.1Discoverer
CVE-2026-5402TLS (Encrypted Client Hello)Heap overflow via integer truncation (CWE-190 to CWE-122 chain)8.8 (High)Duc Anh Nguyen
CVE-2026-5403SBC audio codec (Bluetooth)Heap overflow via multi-frame accounting failure (CWE-122 / CWE-787)HighDuc Anh Nguyen
CVE-2026-5405RDP (RemoteFX ZGFX uncompressed path)Heap overflow via missing bounds check (CWE-122 + CWE-120)8.8 (High)Duc Anh Nguyen
CVE-2026-5656Profile import (ZIP archive handler)Path traversal / Zip-Slip (CWE-22) chained to auto-loaded plugin RCEHighPark, Kwon, Lee, Yun, Song (Theori) with Xint

Three of the four are heap-overflow shapes with progressively-more-direct relationships to the underlying memcpy-without-check primitive: RDP is the most direct, SBC adds loop-accounting indirection, TLS adds integer-arithmetic indirection. The fourth (Profile Import) is structurally different (a path-traversal logic bug chained to an auto-execute architectural decision) and serves as the contrast case that makes the heap-overflow family more legible by comparison. That cross-CVE shape comparison is the pedagogical density that makes the quartet a single-week module rather than four scattered CVE references; students leave the week with vocabulary for three distinct heap-overflow shapes plus one path-traversal-to-RCE shape, anchored on real-world disclosures from the most recent Wireshark release.

Where this fits in the academy curriculum

The handout is referenced from six existing academy courses for vocabulary and defensive-analysis work, and appears again for patch-diff and reverse-engineering work inside specific later courses. The first use builds vocabulary and defensive instinct; the second develops actual reverse-engineering muscle on the same CVEs.

CourseRole in this course
vca-sec-101Module 4 Vulnerability Landscape sidebars: integer-arithmetic class (TLS), loop-accounting class (SBC), asymmetric-validation class (RDP), zip-slip class (Profile import). All four CVEs appear here for vocabulary work.
vca-pen-101Engagement-lifecycle reconnaissance and reporting practice. Week 5 RDP-protocol fuzzing methodology references CVE-2026-5405 directly.
vca-adv-101Belt-5 reading list 2026-currency anchor for the integer-truncation primitive (TLS); cross-reference in the supply-chain-and-auto-execute discussion (Profile import); cross-reference for the asymmetric-validation pattern (RDP).
vca-re-101 + vca-re-201Binary-diffing exercise loci: TLS dissector across 4.6.4 vs 4.6.5; SBC codec diff; tvbuff_rdp.c diff against the analogous FreeRDP CVEs (CVE-2022-39316 / 39320). Formal lab sequence at handouts/re-101-cve-quartet-binary-diff-lab-cluster.md (4-CVE / 12-hour cluster across weeks 9-10).
vca-re-011Vocabulary scaffold; the Profile import CVE is the canonical accessible walked example for RE-011 because the bug is a logic bug rather than memory corruption (students can read the C++ patch line-by-line).
vca-net-101Capture-file analysis and sandbox discipline; Week 8 TLS introduction names CVE-2026-5402 as a 2026-currency anchor; Week 11 RTP / VoIP introduction names CVE-2026-5403 in passing.
/pcap-tools/Five academy-original CVE-trigger captures live in the catalog under the cve-quartet-2026-05/ prefix (one per CVE plus the Profile-import loopback variant). Each entry carries a warning badge, a range_fingerprint, a capture_timestamp, and a cve_anchor in the v4 manifest. Students inspect these alongside post-patch Wireshark for safe dissection.

The A26 Network-Analyst track also uses the four CVEs as anchor cases for its protocol-state-machine analysis methodology. Every Wireshark dissector is a parser state-machine; every patch updates the state-machine's transitions; reverse-engineering the patch is reverse-engineering the FSM delta. The academy's FSM-viz tool at /workbench/fsm/ is the canonical pedagogical instrument for the more advanced reverse-engineering work that this mini-module bridges into.

What students learn

The mini-module covers vocabulary, structural, and defensive-analysis content. Deeper work (reproduce + capstone application) lives in the partner courses listed below; this page surfaces the forward-pointers so cohort members and prospective students see the full arc. A graduate of this single-week module can do five things, three covered here and two in the partner courses.

  1. Recognize the four bug shapes when they encounter analogous CVEs in future Wireshark releases or in other parser codebases. Heap overflow via integer truncation, heap overflow via multi-frame loop accounting, classic missing-bounds-check heap overflow, and zip-slip-to-RCE all become named, transferable patterns. Students recognize the bug shapes by inspecting the academy-original CVE-trigger captures (5 entries in the /pcap-tools/ catalog under the cve-quartet-2026-05/ prefix; each carries a warning badge plus range-instrument fingerprints) alongside post-patch Wireshark for safe dissection.
  2. Defend their organization: write Suricata and Snort 3 rules that detect malformed traffic of the relevant shape, configure capture-file sandboxing for untrusted .pcapng files, recommend tshark-versus-Wireshark surface-area trade-offs to colleagues, and decide which analyst-workstation hardening configurations close the relevant code paths without losing legitimate analysis capability.
  3. Reproduce the bug shapes via the RE-101 binary-diff lab cluster (a 4-CVE / 12-hour formal sequence across weeks 9-10 of vca-re-101). Each lab pulls Wireshark 4.6.4 and 4.6.5 builds, walks the git diff at the dissector-source level, and builds patch-diff fluency on the same captures students inspected in the vocabulary module.
  4. Capstone the methodology by chaining a CVE through to primitive in the ADV-101 capstone arc. CVE-2026-5402 (TLS ECH integer-truncation) is the primitive-richest of the four, which is why vca-adv-101 uses it as the lead capstone candidate. Students who reach this stage have the full pipeline: vocabulary, patch-diff fluency, and primitive-construction discipline that earns a coordinated-disclosure-grade report.
  5. Discuss the disclosures intelligently with vendors, customers, and the broader security community. Reading a Wireshark advisory and a GitLab issue fluently is itself a Belt-3 skill that downstream pen-test, RE, and SOC roles all assume.

Patch-diff reverse-engineering work (the workflow that produces the vocabulary in the first place) is taught in other courses on the academy ladder. Confusing "I read the walkthrough" with "I can reverse-engineer the patch" is a failure mode the academy warns students against explicitly. See the cross-track linkage table above for the reverse-engineering locus per CVE.

Lab discipline (the --authorized-by reminder)

All hands-on work in this mini-module runs against lab-owned, intentionally-vulnerable Wireshark 4.6.4 and 4.4.14 instances inside the academy fwlab container, or against pre-recorded .pcap and .pcapng files supplied by the instructor. Production Wireshark installations the analyst relies on for legitimate work are never the target. The --authorized-by discipline that vca-adv-101 enforces for the SB6141 capstone applies here unchanged: a written authorization for the specific lab target, a controlled capture-file provenance chain, and explicit refusal to use these techniques against systems the academy does not own.

Read the full handout

The catalog page above distils the handout. The handout itself walks each CVE in structural detail (background, vulnerability shape, trigger conditions, code-level discussion, defensive analysis, pedagogical takeaways), plus a cross-CVE shape-comparison section and a reverse-engineering locus map.

/handouts/cve-lab-wireshark-rce-quartet-2026-05.md →

The companion Suricata rules reference covers one rule template per CVE with detection rationale, false-positive considerations, and tuning notes.

/handouts/cve-suricata-rules-reference-wireshark-quartet-2026-05.md →

The Snort 3 rules reference covers the same four CVEs in Snort 3.x syntax with a side-by-side Snort 3 vs Suricata 7 comparison table.

/handouts/cve-snort3-rules-reference-wireshark-quartet-2026-05.md →

The RE-101 binary-diff lab cluster takes vocabulary work into patch-diff fluency: a 4-CVE / 12-hour formal lab sequence across weeks 9-10 of vca-re-101, comparing 4.6.4 and 4.6.5 dissector source against the same captures students inspect in this module.

/handouts/re-101-cve-quartet-binary-diff-lab-cluster.md →

The ADV-101 capstone arc takes patch-diff fluency into a primitive-construction discipline. CVE-2026-5402 (TLS ECH integer-truncation) is the lead capstone candidate because it is the primitive-richest of the four, and the arc walks the chain from disclosed CVE through to coordinated-disclosure-grade tool and report.

/handouts/adv-101-cve-2026-5402-capstone-arc.md →

The academy /pcap-tools/ catalog hosts the 5 academy-original CVE-trigger captures referenced in ยง3 Recognize. Each capture carries a warning badge, a range_fingerprint, a capture_timestamp, and a cve_anchor in the v4 manifest at /pcap-tools/fixtures/curated-12-manifest.json.

/pcap-tools/ (CVE-quartet captures + manifest) →

What is a vca-mini-* page?

The vca-mini-* family hosts topical, dated, evergreen-after-disclosure modules too small to be full vca-XXX-NNN courses. Each mini-module distils a single handout (or a tightly-related cluster of handouts) into a catalog page that prospective students, cohort members, and search engines can find. The dated suffix (2026-05) records when the underlying material was disclosed or assembled; the module stays live indefinitely as a curriculum reference. Future vca-mini-* pages will follow this template for other CVE rollups, technique-clinic handouts, and cross-track topical micro-modules. The first member of the family is this page.

Interested in cohort enrollment?

Email interested@virtuscyberacademy.org.

Email interested@virtuscyberacademy.org

Virtus Academy is the educational arm of Virtus Cybersecurity, LLC. An SDVOSB. Virtus Academy is an independent program; no affiliation with any government academy or university is claimed or implied.