Lab 10-2: Wireshark CVE Mini-Module

Course: NET-101, Week 10 Time: ~45 minutes (paired with lab-10-1 for one 90-minute session) Tools: Academy mini-module at /vca-mini-wireshark-cves-2026-05/; handouts Reading: handouts/cve-lab-wireshark-rce-quartet-2026-05.md

Overview

This lab works through the academy's Wireshark RCE quartet: four CVEs disclosed in May 2026, each representing a different bug class in Wireshark's packet dissectors. You will NOT be executing exploits. You will be reading the vulnerability descriptions, identifying the bug class in each, and mapping each to a defensive lesson.

All captures referenced in this lab are pre-loaded in the pcap-tools catalog. They are marked MALFORMED and are safe to analyze in the academy workbench (which sandboxes the dissector).

Part 1: CVE-2026-5402 -- TLS ECH Integer Truncation (~15 minutes)

Read §1 of handouts/cve-lab-wireshark-rce-quartet-2026-05.md (CVE-2026-5402).

Then load cve-2026-5402-trigger-tls-ech-overflow.pcapng from the pcap-tools catalog. (Note the MALFORMED warning in the catalog entry.)

Apply tls.handshake.type == 1 to find the ClientHello.

1. Does Wireshark's dissector display any fields from this ClientHello? Or does it show an error?
2. Look at the raw bytes of the packet (the hex dump in the bottom pane). Can you see the TLS record header bytes \x16\x03 at the start?
3. What CVE bug class is this? (CWE number and name -- find it in the handout's vulnerability table.)
4. In plain English: what is the specific condition in the crafted ClientHello that triggers the integer truncation?
5. What field in the legitimate TLS ECH extension was the attacker abusing?

Part 2: CVE-2026-5403 -- SBC Codec Frame-Count Overflow (~10 minutes)

Read §2 of the CVE handout (CVE-2026-5403).

Then load cve-2026-5403-trigger-sbc-rtp-overflow.pcapng from the catalog.

6. What protocol does this capture carry? (SBC audio over what transport?)
7. How many RTP frames are in the capture?
8. What is the bug class? What is the fixed-size buffer that overflows?
9. Why is a 64-frame RTP capture a trigger if the buffer is only 8192 bytes? (Explain the frame-count accounting failure in one sentence.)

Part 3: CVE-2026-5405 -- RDP ZGFX Missing Bounds Check (~10 minutes)

Read §3 of the CVE handout (CVE-2026-5405).

Then load cve-2026-5405-trigger-rdp-zgfx-overflow.pcapng from the catalog.

10. What value does the ZGFX header claim for uncompressedSize?
11. Why does that value trigger the bug? (What is the maximum that fits in the buffer the post-patch code allocates?)
12. This is called a "classic missing-bounds-check heap overflow." What specific line of logic was missing to prevent this?

Part 4: CVE-2026-5656 -- Profile ZIP Slip (~10 minutes)

Read §4 of the CVE handout (CVE-2026-5656).

This CVE does not involve a network capture; it uses a crafted ZIP file.

13. What is "zip slip"? What general file-operation vulnerability class does it represent?
14. What path does the malicious ZIP entry use to escape the profile directory?
15. Why does this trigger code execution rather than just arbitrary file write?
16. The loopback capture (cve-2026-5656-trigger-profile-zip-slip-loopback.pcapng) shows ambient traffic during the lab simulation -- NOT the trigger itself. What does this teach about the relationship between CVEs and network evidence?

Part 5: Cross-CVE synthesis (~5 minutes)

17. Fill in this table:

18. One theme appears in CVE-2026-5402, 5403, and 5405. What is it?
19. The academy's capture-file sandboxing discipline says: ".pcapng files of unknown provenance go in a disposable container, never into the analyst's primary Wireshark workstation." Which specific CVE makes this most directly relevant?

Artifact

Create lab-10-2.md in your net-101/ Git repo with:

• Answers to all questions
• The cross-CVE synthesis table

Commit with a meaningful commit message (can be combined with the lab-10-1 commit).