In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion. References: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778 Upstream commit: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7b6e197da4c497e229ed3ebf6952bae5c426a820 External References: https://www.wireshark.org/security/wnpa-sec-2019-19.html
*** Bug 1718140 has been marked as a duplicate of this bug. ***
Statement: During testing we could not reproduce this issue (with a default stack size and the binaries as shipped in our products). It's possible that this issue only manifests itself when using binaries compiled with address sanitizer, which can dramatically increase stack usage. Yet, it also can't be entirely ruled out that there may be a way to exploit this using a method currently unknown to us, thus, this has an impact of Moderate.