Wireshark, the world’s most widely deployed open-source network protocol analyzer, has released version 4.6.5, a critical security update that addresses over 40 vulnerabilities, including four flaws that can enable arbitrary code execution via malformed packet injection and malicious capture files.
Security teams, network engineers, and SOC analysts relying on Wireshark for live traffic capture, digital forensics, and protocol analysis must apply this update immediately to avoid potential system compromise.
Wireshark 4.6.5 Patches 40+ Flaws
The sheer scope of Wireshark 4.6.5 sets it apart from routine maintenance updates. The Wireshark security team has acknowledged that this unusually large batch of vulnerability fixes is partly attributed to a growing trend of AI-assisted vulnerability.
Reporting, which dramatically accelerated the simultaneous discovery of security weaknesses across dozens of protocol modules.
This marks a landmark moment in open-source security tooling: AI is now being weaponized to find bugs at a scale and speed that manual audits cannot match, raising the urgency for vendors to respond with equally accelerated patch cycles.
The most severe flaws in Wireshark 4.6.5 go beyond simple crashes; they can lead to remote code execution (RCE), allowing an attacker to run arbitrary code on the analyst’s machine. Four components are directly affected:
- TLS Dissector (CVE-2026-5402) – A crash with possible code execution when parsing malformed TLS handshake traffic (wnpa-sec-2026-14)
- SBC Audio Codec (CVE-2026-5403) – A crash with possible code execution in the Sub-Band Coding audio processor (wnpa-sec-2026-16)
- RDP Dissector (CVE-2026-5405) – A crash with possible code execution when dissecting Remote Desktop Protocol packets (wnpa-sec-2026-17)
- Profile Import Handler (CVE-2026-5656) – A crash with possible code execution triggered during Wireshark configuration profile import operations (wnpa-sec-2026-21)
These vulnerabilities are especially dangerous in enterprise and SOC environments where Wireshark is routinely executed with elevated privileges.
Successful exploitation in such contexts could grant an attacker full system-level access, turning a routine packet capture session into a critical breach point.
Denial-of-Service via Dissector Crashes
A significant portion of the 40+ patched flaws cause application crashes when individual protocol dissectors process adversarially crafted or malformed packets, a classic vector that requires no authentication. Affected dissectors span a diverse range of protocols critical to enterprise and industrial environments:
- Network Protocols: Monero (CVE-2026-5409), BT-DHT (CVE-2026-5408), FC-SWILS (CVE-2026-5406), ICMPv6 (CVE-2026-5299), AFP (CVE-2026-5401)
- File Parsers & Codecs: K12 RF5 file parser (CVE-2026-5404), AMR-NB codec (CVE-2026-5654), SDP (CVE-2026-5655), iLBC audio codec (CVE-2026-5657, CVE-2026-6529)
- Application Protocols: BEEP (CVE-2026-6538), ZigBee (CVE-2026-6537), Kismet (CVE-2026-6532), RTSP (CVE-2026-6526), MySQL (CVE-2026-6524), HTTP (CVE-2026-6868), WebSocket (CVE-2026-6869), IEEE 802.11 (CVE-2026-6525)
Any attacker on the same network segment can trigger these crashes by injecting specially crafted packets, with no credentials or prior access required. Given that many of these protocols are used in OT/ICS, wireless, and multimedia environments, the attack surface is exceptionally broad.
Several vulnerabilities cause infinite loops rather than immediate crashes, resulting in a hung Wireshark and sustained denial-of-service conditions that consume system resources. Affected components include:
- SMB2 Dissector (CVE-2026-5407) – Infinite loop triggered by malformed SMB2 traffic (wnpa-sec-2026-11)
- Additional infinite loop flaws affect: DLMS/COSEM (CVE-2026-6536), USB HID (CVE-2026-6534), SANE (CVE-2026-6531), GNW (CVE-2026-6523), OpenFlow v5 (CVE-2026-6521), OpenFlow v6 (CVE-2026-6520), MBIM (CVE-2026-6519), RPKI-Router (CVE-2026-6522), and the TLS Dissector (CVE-2026-6528)
These loop-based flaws are particularly devastating in automated traffic capture pipelines and SIEM-integrated Wireshark deployments, where the tool runs unattended, and a single malformed packet can permanently halt all analysis until an operator manually intervenes.
Decompression Engine Vulnerabilities
Two critical flaws target Wireshark’s core dissection engine rather than individual protocol parsers, substantially widening the attack surface to any protocol relying on compressed payloads:
- zlib Decompression Crash (CVE-2026-6535) – Malformed compressed payloads corrupt the zlib decompression pipeline, affecting Issues #21097 and #21098 (wnpa-sec-2026-26)
- LZ77 Decompression Crash (CVE-2026-6533) – A crash triggered by malformed LZ77-compressed data during packet dissection (wnpa-sec-2026-28)
Because compression is embedded in dozens of higher-level protocols, these engine-level vulnerabilities could be exploited across a far wider range of traffic scenarios than any single dissector flaw.
Affected Versions and Patch Guidance
| Component | Vulnerability Type | CVE Examples |
|---|---|---|
| TLS, RDP, SBC, Profile Import | Crash + Possible Code Execution | CVE-2026-5402, 5403, 5405, 5656 |
| SMB2, TLS, MBIM, OpenFlow | Infinite Loop / DoS | CVE-2026-5407, 6528, 6519, 6521 |
| 20+ Protocol Dissectors | Dissector Crash / DoS | CVE-2026-5299 through CVE-2026-6870 |
| Dissection Engine | zlib/LZ77 Decompression Crash | CVE-2026-6535, CVE-2026-6533 |
Wireshark 4.6.5 also addresses parallel fixes in version 4.4.15 for users on the older stable branch. The Wireshark team also patched a Sharkd utility memory leak (wnpa-sec-2026-47) and an additional Sharkd crash (wnpa-sec-2026-48) affecting automated analysis workflows.
Remediation Steps
Organizations must treat this update as a critical priority, particularly those running Wireshark in live capture, SIEM-integrated, or elevated-privilege configurations. Recommended actions include:
- Update immediately to Wireshark 4.6.5 via the official Wireshark download page or your OS package manager
- Audit privileges avoid running Wireshark as root or SYSTEM unless operationally necessary
- Restrict capture file ingestion from untrusted sources until all endpoints are patched
- Deploy endpoint monitoring for anomalous Wireshark process behavior targeting SOC workstations
- Validate SIEM pipeline integrity for any automated Wireshark-based capture environments
The AI-assisted discovery trend that drove this unprecedented batch of fixes signals that vulnerability disclosure rates for complex open-source tools will continue to accelerate.
Security teams should anticipate faster patch cycles and integrate continuous update automation for foundational analysis tools, such as Wireshark, into their vulnerability management programs.
FAQ
Q1: What is the most critical vulnerability in Wireshark 4.6.5?
The TLS Dissector flaw (CVE-2026-5402) and RDP Dissector flaw (CVE-2026-5405) are the most severe, both enabling possible remote code execution through malformed packet parsing.
Q2: Which Wireshark versions are affected, and what should users upgrade to?
All Wireshark versions before 4.6.5 and 4.4.15 are vulnerable, and users must immediately upgrade to the latest patched release from the official Wireshark website.
Q3: Can these vulnerabilities be exploited remotely without authentication?
Yes, attackers on the same network segment can trigger dissector crashes and infinite loops by injecting specially crafted packets requiring no prior authentication or system access.
Q4: Why were so many vulnerabilities found in a single Wireshark release?
The Wireshark team attributes this unusually large batch of fixes to an emerging trend of AI-assisted vulnerability reporting, which rapidly accelerated bug discovery across multiple protocol modules.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
