Wireshark patches code execution and denial-of-service flaws in major security update
5 min. read 
Published on
Wireshark has released version 4.6.5 to fix more than 40 security issues across its packet dissectors, file parsers, codecs, decompression routines, and supporting utilities.
The most serious flaws can cause crashes with possible code execution when Wireshark processes malformed traffic, malicious packet captures, or crafted import data.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Security teams, network analysts, SOC operators, and anyone using Wireshark for packet inspection should update to Wireshark 4.6.5. Users on the 4.4 branch should move to 4.4.15 where the same branch receives fixes.
Wireshark 4.6.5 fixes a large batch of vulnerabilities
The update covers a wide range of protocols and components. The Wireshark team said the release fixes many vulnerabilities, partly due to a recent rise in AI-assisted vulnerability reports.
Four advisories stand out because they mention crashes with possible code execution. These affect the TLS dissector, SBC codec, RDP dissector, and profile import functionality.
Many other flaws can crash Wireshark, trigger infinite loops, or exhaust resources. These bugs still matter because Wireshark often processes untrusted network traffic and capture files during incident response.
At a glance
| Category | Details |
|---|---|
| Product | Wireshark |
| Fixed version | Wireshark 4.6.5 |
| Also fixed for 4.4 branch | Wireshark 4.4.15 for many advisories |
| Main risk | Crashes, infinite loops, resource exhaustion, and possible code execution |
| Most serious affected areas | TLS, SBC, RDP, and profile import |
| Attack path | Malformed packets, crafted capture files, or malicious imported profile data |
| Who should update | Network analysts, SOC teams, forensic teams, administrators, and regular Wireshark users |
Possible code execution flaws require fast patching
The TLS dissector issue, tracked as CVE-2026-5402, can cause a crash with possible code execution when Wireshark handles malformed TLS data.
The SBC codec issue, tracked as CVE-2026-5403, creates another crash with possible code execution risk inside the audio codec processing path.
The RDP dissector flaw, tracked as CVE-2026-5405, affects Remote Desktop Protocol traffic parsing. A separate profile import flaw, tracked as CVE-2026-5656, can trigger a crash with possible code execution during profile import operations.
Key code execution risks
| CVE | Component | Issue |
|---|---|---|
| CVE-2026-5402 | TLS dissector | Crash with possible code execution |
| CVE-2026-5403 | SBC codec | Crash with possible code execution |
| CVE-2026-5405 | RDP dissector | Crash with possible code execution |
| CVE-2026-5656 | Profile import | Crash with possible code execution |
Denial-of-service flaws cover many protocol dissectors
Most of the remaining advisories involve crashes or infinite loops in protocol dissectors. An attacker may trigger these issues by getting Wireshark to process specially crafted packets or capture files.
The affected protocol list includes Monero, BT-DHT, FC-SWILS, ICMPv6, AFP, AMR-NB, SDP, iLBC, DCP-ETSI, BEEP, ZigBee, Kismet, ASN.1 PER, RTSP, IEEE 802.11, MySQL, GSM RP, WebSocket, SMB2, HTTP, and others.
For analysts, this creates risk during normal work. A malicious capture file from a compromised environment could crash Wireshark or stall analysis during an investigation.
Infinite loop flaws can freeze analysis
Several vulnerabilities can force Wireshark into infinite loops. These bugs may not give attackers code execution, but they can still disrupt live monitoring and automated analysis pipelines.
The affected components include SMB2, DLMS/COSEM, USB HID, SANE, GNW, OpenFlow v5, OpenFlow v6, MBIM, RPKI-Router, TLS, and UDS.
This matters for organizations that use Wireshark tools in repeatable workflows. One malformed packet or capture file could stop processing until an analyst intervenes.
Decompression bugs widen the attack surface
Wireshark 4.6.5 also fixes crashes in the dissection engine itself, including zlib decompression and LZ77 decompression issues.
Engine-level decompression flaws can affect more than one protocol because multiple parsers may rely on shared decompression logic.
That makes these fixes important even for users who do not inspect the specific protocols named in the other advisories.
What attackers could target
- Live packet captures on a shared network segment
- Packet capture files shared with analysts during incident response
- Malformed protocol traffic designed to trigger dissector crashes
- Compressed payloads handled by Wireshark’s dissection engine
- Imported Wireshark profiles prepared by an attacker
- Automated capture processing jobs that run without human review
Why SOC and forensic teams face higher risk
Wireshark often runs in environments where analysts inspect unknown traffic. That makes the tool valuable, but it also means it regularly handles data from untrusted sources.
Forensic teams may open packet captures from infected networks, malware sandboxes, honeypots, or third parties. If a capture file contains crafted traffic, the analyst’s workstation becomes part of the risk path.
Organizations should avoid running Wireshark with unnecessary elevated privileges. They should also isolate analysis workstations from sensitive production systems where possible.
Recommended actions
- Update Wireshark to version 4.6.5 as soon as possible.
- Use Wireshark 4.4.15 if your organization remains on the 4.4 branch.
- Do not open packet captures from unknown sources on high-value workstations.
- Avoid running Wireshark as administrator or root unless a task requires it.
- Process suspicious captures in an isolated analysis environment.
- Review automated packet-processing pipelines for outdated Wireshark tools.
- Update related command-line utilities, including tshark and sharkd, where deployed.
- Check package manager repositories if Wireshark comes from a Linux distribution vendor.
Priority for patch management
| Environment | Recommended priority |
|---|---|
| SOC analyst workstations | High priority, especially if analysts open third-party capture files. |
| Forensic labs | High priority, because labs often inspect hostile traffic. |
| Automated packet processing systems | High priority, because infinite loops and crashes can stop unattended jobs. |
| Developer test systems | Medium to high priority, depending on exposure to untrusted captures. |
| Personal use systems | Update promptly, especially before opening unknown capture files. |
FAQ
Wireshark 4.6.5 fixes the latest batch of vulnerabilities. Many advisories also have fixes in Wireshark 4.4.15 for users on the 4.4 branch.
Several advisories mention crashes with possible code execution, including issues in TLS, SBC, RDP, and profile import handling.
Many Wireshark dissector flaws can trigger when the tool processes malformed packets or crafted capture files. The exact attack path depends on the affected component.
Denial-of-service bugs can crash or freeze packet analysis. This can disrupt investigations, monitoring workflows, and automated capture processing.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages