2 files changed, 66 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2026-0959.patch b/meta-networking/recipes-support/wireshark/files/CVE-2026-0959.patch
new file mode 100644
index 0000000000..a7aeb80610
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2026-0959.patch
@@ -0,0 +1,65 @@
+From 4b48ee36f1829d6d3d009bf9871af523ce8e3ace Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 10 Jan 2026 08:33:35 -0500
+Subject: [PATCH] ieee80211: Avoid using a fixed array for multi-link per-STA
+ subelements
+Since this processes to the end of the TVB, there might be more than 16.
+Simplify the logic and only test for a set link_id in one place. This
+also gets rid of a possible use of an uninitialized value on error.
+Fix #20939, OSS-Fuzz 474458885 
+CVE: CVE-2026-0959
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/4b48ee36f1829d6d3d009bf9871af523ce8e3ace]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-ieee80211.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+diff --git a/epan/dissectors/packet-ieee80211.c b/epan/dissectors/packet-ieee80211.c
+index 0371e21..15e89f7 100644
+--- a/epan/dissectors/packet-ieee80211.c
+++ b/epan/dissectors/packet-ieee80211.c
+@@ -27911,7 +27911,7 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+   guint8 multi_link_type = multi_link_control & 0x0007;
+   guint16 present = multi_link_control >> 4;
+   int elt = 0, hf_index;
+-  int local_link_ids[16];
+  wmem_strbuf_t *link_id_list = wmem_strbuf_create(pinfo->pool);
+ 
+   control = proto_tree_add_item(tree, hf_ieee80211_eht_multi_link_control, tvb,
+                                 offset, 2, ENC_LITTLE_ENDIAN);
+@@ -28194,9 +28194,6 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+                                            multi_link_type, &link_id);
+ 
+       offset += overhead; /* Account for the overhead in the subelt */
+-      if (link_id != -1) {
+-        local_link_ids[elt] = link_id;
+-      }
+       break;
+     case 221:
+       /* Add an expert info saying there are none so far? */
+@@ -28207,18 +28204,13 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
+       break;
+     }
+     if (link_id != -1) {
+      wmem_strbuf_append_printf(link_id_list, (elt == 0) ? "%d" : "_%d", link_id);
+       elt++;
+     }
+   }
+   proto_tree_add_uint(tree, hf_index, tvb, 0, 0, elt);
+ 
+   if (elt) {
+-    wmem_strbuf_t *link_id_list = wmem_strbuf_new_sized(pinfo->pool, elt * 2);
+-    for (int i = 0; i < elt; i++) {
+-      if (local_link_ids[i] != -1) {
+-        wmem_strbuf_append_printf(link_id_list, (i == 0) ? "%d" : "_%d", local_link_ids[i]);
+-      }
+-    }
+     proto_tree_add_string(tree, hf_ieee80211_eht_multi_link_link_id_list, tvb,
+                           0, 0, link_id_list->str);
+   }
+-- 
+2.50.1
diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
index c313075ea4..d03b86775e 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
           file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \
           file://CVE-2025-9817.patch \
           file://CVE-2025-13499.patch \
+           file://CVE-2026-0959.patch \
           "
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2026-0959.patch b/meta-networking/recipes-support/wireshark/files/CVE-2026-0959.patch new file mode 100644 index 0000000000..a7aeb80610 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2026-0959.patch
@@ -0,0 +1,65 @@
		1	From 4b48ee36f1829d6d3d009bf9871af523ce8e3ace Mon Sep 17 00:00:00 2001
		2	From: John Thacker <johnthacker@gmail.com>
		3	Date: Sat, 10 Jan 2026 08:33:35 -0500
		4	Subject: [PATCH] ieee80211: Avoid using a fixed array for multi-link per-STA
		5	subelements
		6
		7	Since this processes to the end of the TVB, there might be more than 16.
		8	Simplify the logic and only test for a set link_id in one place. This
		9	also gets rid of a possible use of an uninitialized value on error.
		10
		11	Fix #20939, OSS-Fuzz 474458885
		12
		13	CVE: CVE-2026-0959
		14	Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/4b48ee36f1829d6d3d009bf9871af523ce8e3ace]
		15	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		16	---
		17	epan/dissectors/packet-ieee80211.c \| 12 ++----------
		18	1 file changed, 2 insertions(+), 10 deletions(-)
		19
		20	diff --git a/epan/dissectors/packet-ieee80211.c b/epan/dissectors/packet-ieee80211.c
		21	index 0371e21..15e89f7 100644
		22	--- a/epan/dissectors/packet-ieee80211.c
		23	+++ b/epan/dissectors/packet-ieee80211.c
		24	@@ -27911,7 +27911,7 @@ dissect_multi_link(tvbuff_t tvb, packet_info pinfo _U_, proto_tree *tree,
		25	guint8 multi_link_type = multi_link_control & 0x0007;
		26	guint16 present = multi_link_control >> 4;
		27	int elt = 0, hf_index;
		28	- int local_link_ids[16];
		29	+ wmem_strbuf_t *link_id_list = wmem_strbuf_create(pinfo->pool);
		30
		31	control = proto_tree_add_item(tree, hf_ieee80211_eht_multi_link_control, tvb,
		32	offset, 2, ENC_LITTLE_ENDIAN);
		33	@@ -28194,9 +28194,6 @@ dissect_multi_link(tvbuff_t tvb, packet_info pinfo _U_, proto_tree *tree,
		34	multi_link_type, &link_id);
		35
		36	offset += overhead; /* Account for the overhead in the subelt */
		37	- if (link_id != -1) {
		38	- local_link_ids[elt] = link_id;
		39	- }
		40	break;
		41	case 221:
		42	/* Add an expert info saying there are none so far? */
		43	@@ -28207,18 +28204,13 @@ dissect_multi_link(tvbuff_t tvb, packet_info pinfo _U_, proto_tree *tree,
		44	break;
		45	}
		46	if (link_id != -1) {
		47	+ wmem_strbuf_append_printf(link_id_list, (elt == 0) ? "%d" : "_%d", link_id);
		48	elt++;
		49	}
		50	}
		51	proto_tree_add_uint(tree, hf_index, tvb, 0, 0, elt);
		52
		53	if (elt) {
		54	- wmem_strbuf_t link_id_list = wmem_strbuf_new_sized(pinfo->pool, elt 2);
		55	- for (int i = 0; i < elt; i++) {
		56	- if (local_link_ids[i] != -1) {
		57	- wmem_strbuf_append_printf(link_id_list, (i == 0) ? "%d" : "_%d", local_link_ids[i]);
		58	- }
		59	- }
		60	proto_tree_add_string(tree, hf_ieee80211_eht_multi_link_link_id_list, tvb,
		61	0, 0, link_id_list->str);
		62	}
		63	--
		64	2.50.1
		65


diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb index c313075ea4..d03b86775e 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
15	file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \	15	file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \
16	file://CVE-2025-9817.patch \	16	file://CVE-2025-9817.patch \
17	file://CVE-2025-13499.patch \	17	file://CVE-2025-13499.patch \
		18	file://CVE-2026-0959.patch \
18	"	19	"
19		20
20	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"	21	UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"