Wireshark 4.6.7 Fixes 12 Security Flaws That Can Crash or Hang Packet Analysis


Wireshark 4.6.7 is now available with fixes for 12 security vulnerabilities that can crash the network protocol analyzer, trigger excessive processing loops, expose information, or disrupt capture analysis workflows.

The update addresses advisories wnpa-sec-2026-52 through wnpa-sec-2026-63. The official Wireshark 4.6.7 release notes list flaws in protocol dissectors, capture-file parsers, TLS ECH handling, and the Ciscodump external capture utility.

Users who open untrusted packet captures, malware traffic samples, wireless frames, or third-party capture files should upgrade as soon as practical. Wireshark says affected 4.6.x and 4.4.x versions have been fixed in Wireshark 4.6.7 and 4.4.17.

What Wireshark fixed in version 4.6.7

Wireshark parses many protocols and capture formats, which makes it valuable for troubleshooting and incident response. It also means malformed packets or files can hit fragile parser code inside dissectors and file readers.

The July 8 release fixes crashes in the Catapult DCT2000, SSH, IEEE 802.11, Z39.50, and UMTS FP dissectors. It also fixes parser issues in pcapng and DBS Etherwatch capture files, a BLF file information disclosure flaw, and infinite loops across multiple protocol dissectors.

The Wireshark release announcement confirms that Wireshark 4.6.7 packages are available for Windows, macOS, and source builds, and it provides hashes for the release files.

AdvisoryAffected componentIssue typeLikely impact
wnpa-sec-2026-52Catapult DCT2000 dissectorCrashMalformed traffic or capture data can terminate Wireshark.
wnpa-sec-2026-53pcapng file parserParser crashA crafted pcapng file can crash analysis.
wnpa-sec-2026-54FMP/NOTIFY dissectorLarge loopCrafted input can make Wireshark consume resources.
wnpa-sec-2026-55SSH dissectorCrashMalformed SSH traffic can disrupt packet inspection.
wnpa-sec-2026-56TLS ECH decryptionCrashSpecially crafted TLS ECH data can terminate Wireshark.
wnpa-sec-2026-57IEEE 802.11 dissectorCrashMalformed wireless frames can crash analysis.
wnpa-sec-2026-58Z39.50 dissectorCrashA crafted packet can trigger a crash.
wnpa-sec-2026-59UMTS FP dissectorCrashMalformed UMTS Frame Protocol data can stop analysis.
wnpa-sec-2026-60BLF file parserInformation disclosureA crafted Binary Logging Format file can expose unintended decoded data.
wnpa-sec-2026-61Multiple protocol dissectorsInfinite loopsCrafted packets can make Wireshark hang.
wnpa-sec-2026-62DBS Etherwatch file parserParser crashA malicious capture file can terminate Wireshark.
wnpa-sec-2026-63Ciscodump extcapExternal capture crashA hostile device can potentially crash the external capture interface.

Older Wireshark branches are affected

The individual advisories cover Wireshark 4.6.0 through 4.6.6 and Wireshark 4.4.0 through 4.4.16. Fixed versions are Wireshark 4.6.7 and Wireshark 4.4.17.

The Catapult DCT2000 advisory lists CVE-2026-15174 and says the dissector could crash. Wireshark advises affected users to upgrade to version 4.6.7, 4.4.17, or later.

The same affected-version pattern appears in the Ciscodump advisory, which tracks CVE-2026-15164 and covers a crash in the external capture interface.

  • Wireshark 4.6.0 through 4.6.6 should be upgraded to 4.6.7 or later.
  • Wireshark 4.4.0 through 4.4.16 should be upgraded to 4.4.17 or later.
  • Analysts should avoid opening untrusted captures on unpatched systems.
  • Automated capture-processing workflows should be reviewed for unattended exposure.

Why malicious capture files matter

Many Wireshark users work with untrusted data by design. Incident responders inspect malware traffic, help desks review customer captures, wireless analysts examine frame dumps, and researchers exchange packet samples.

That creates a practical denial-of-service risk. An attacker does not need to compromise a network directly if they can convince an analyst to open a malicious capture file or inspect crafted traffic on a vulnerable version.

The risks range from a simple application crash to a frozen analysis session. In the case of the BLF file parser, the issue involves information disclosure rather than only a crash.

Notable security fixes in the release

Several fixed components stand out because they affect common investigation workflows. The pcapng parser matters because pcapng is a widely used capture format. The IEEE 802.11 dissector matters for wireless investigations, while SSH and TLS ECH parsing affect encrypted-traffic analysis.

The multiple-dissector infinite-loop advisory is also important because it can make Wireshark appear stuck during packet processing. That can slow incident response and force analysts to restart sessions or isolate problematic captures manually.

The Ciscodump advisory adds another angle because it involves an external capture interface. Wireshark says it may be possible to crash it by convincing someone to connect to a hostile device.

Other bugs fixed in Wireshark 4.6.7

Beyond the 12 security advisories, Wireshark 4.6.7 fixes several stability and correctness issues. These include a use-after-free condition in the Ethernet POWERLINK dissector, a heap-buffer overflow in the Android Logcat parser, and a heap-buffer-overflow read in display-filter compilation on a time literal.

The release also fixes a heap-corruption crash involving the saved recent_common file, memory leaks found through fuzzing, and an H.265 parsing problem that caused some packets to appear as malformed.

The release notes say Wireshark 4.6.7 does not add new protocol support, but it updates protocol support for DNS, DCERPC, H.265, IEEE 802.11, SSH, UMTS FP, Z39.50, and several others.

Windows builds and extcap packaging changed

Wireshark 4.6.7 Windows installers are now built with Visual Studio 2026. The update also clarifies a plugin-development change for extcap binaries on Unix-like systems.

On Unix-like systems, except macOS app bundles from the official installer, Wireshark now searches for extcap binaries under the libexec directory by default. Third-party extcap packages may need packaging updates, although the location can be overridden with the WIRESHARK_EXTCAP_DIR environment variable.

The release announcement also includes SHA256 hashes for the source archive, Windows installers, PortableApps build, and macOS disk image, which can help administrators verify downloaded files.

How teams should respond

Organizations that use Wireshark in SOCs, malware labs, help desks, telecom teams, or network operations should prioritize the update. The risk grows when staff regularly handle captures from outside users or hostile environments.

Teams can get the current installers from the official Wireshark download page. Those using Linux distribution packages should check their vendor repositories and security advisories for backported fixes.

Recommended steps include:

  1. Upgrade Wireshark 4.6.x systems to 4.6.7 or later.
  2. Upgrade Wireshark 4.4.x systems to 4.4.17 or later.
  3. Use isolated analysis environments when opening suspicious captures.
  4. Avoid opening untrusted pcapng, BLF, and DBS Etherwatch files on unpatched systems.
  5. Review automated pipelines that parse captures with Wireshark, TShark, or related tools.
  6. Verify installer hashes when downloading packages for enterprise deployment.
  7. Update third-party extcap packaging if the libexec path change affects deployments.

Security impact for analysts

The fixed flaws do not turn Wireshark into a remote network compromise by themselves. In most scenarios, the attacker needs the victim to open a crafted capture, process malicious packets, or connect an external capture interface to a hostile target.

Even so, the impact can be meaningful. Crashes and hangs can interrupt live investigations, corrupt analysis workflows, or create blind spots when analysts need reliable packet inspection.

Updating through the official download page and avoiding untrusted captures on outdated builds remain the most practical protections. The Catapult DCT2000 advisory shows the common pattern for these fixes: affected Wireshark 4.6 and 4.4 versions now have patched releases available.

FAQ

What is fixed in Wireshark 4.6.7?

Wireshark 4.6.7 fixes 12 security advisories affecting protocol dissectors, capture-file parsers, TLS ECH decryption, and the Ciscodump extcap utility. The issues can cause crashes, hangs, large loops, or information disclosure.

Which Wireshark versions are affected by these vulnerabilities?

The advisories list Wireshark 4.6.0 through 4.6.6 and Wireshark 4.4.0 through 4.4.16 as affected. The fixed versions are Wireshark 4.6.7 and Wireshark 4.4.17.

Can a malicious packet capture crash Wireshark?

Yes. Several fixed issues can crash Wireshark when it opens or processes specially crafted packets or capture files. Analysts should avoid untrusted captures on unpatched systems and use isolated environments for suspicious traffic samples.

Does Wireshark 4.6.7 add new protocol support?

No. Wireshark 4.6.7 does not add new protocol support. It updates existing protocol support and capture-file handling, including Android Logcat, BLF, DBS Etherwatch, Netlog, and pcapng.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages