Wireshark 4.6.5 Patches Critical Code Execution and DoS Vulnerabilities
For network engineers and security researchers, Wireshark is the industry-standard “microscope” used to examine the granular details of network traffic. However, because the tool must parse complex, untrusted data from diverse protocols, the application itself can become a target.
The Wireshark Foundation has officially released version 4.6.5, a critical update designed to mitigate a massive wave of security vulnerabilities discovered through recent AI-assisted bug hunting.
This release is particularly significant because it addresses more than 40 distinct security flaws. While many of these are traditional Denial-of-Service (DoS) bugs, several represent a much higher tier of risk: the potential for arbitrary code execution (ACE). This means a carefully crafted packet could move beyond simply crashing the application, potentially allowing an attacker to run unauthorized commands on the analyst’s machine.
The High-Stakes Risks: Arbitrary Code Execution
The most alarming aspect of this update involves four specific vulnerabilities. These flaws exist within the “dissectors”—the specialized code modules Wireshark uses to translate raw binary data into human-readable protocol information. When a dissector encounters data it doesn’t expect, it can fail in ways that compromise system memory.
- CVE-2026-5402 (TLS Dissector): A heap overflow vulnerability identified within the Transport Layer Security (TLS) protocol dissector. This affects users running versions 4.6.0 through 4.6.4.
- CVE-2026-5403 (SBC Codec): A severe flaw in the SBC audio codec dissector that can be leveraged to execute untrusted code via malformed media streams.
- CVE-2026-5405 (RDP Dissector): The Remote Desktop Protocol (RDP) dissector contains a vulnerability that can trigger a crash or facilitate code execution.
- CVE-2026-5656 (Profile Import): A logic flaw in the profile import functionality allows malicious configuration files to trigger crashes or execute code.
How the attack works: The exploitation vector relies on malformed packets. An attacker crafts a packet with intentional discrepancies in its data fields. When Wireshark’s dissector attempts to parse these fields, it may attempt to write data to a memory location it shouldn’t access (such as a heap overflow), effectively hijacking the application’s execution flow.
There are two primary ways a security professional might encounter these threats:
- Live Network Interception: An attacker transmits these “poisoned” packets across a network while an analyst is actively capturing traffic.
- Poisoned PCAP Files: An attacker embeds the malicious payload within a
.pcapor.pcapngfile. If a security analyst opens this file to investigate a suspicious event, the vulnerability triggers during the parsing process.
Mitigating Operational Disruption: Denial of Service (DoS)
Beyond the threat of code execution, version 4.6.5 cleans up dozens of vulnerabilities that could lead to application instability. These include infinite loops and fatal crashes in the dissectors for widely used protocols like SMB2, HTTP, ICMPv6, and MySQL.
Additionally, the update hardens the application’s handling of decompression mechanisms, specifically addressing flaws in zlib and LZ77. While a DoS attack doesn’t grant an attacker control over a system, it can be devastating in a Security Operations Center (SOC) environment. If a critical monitoring tool crashes repeatedly due to malformed traffic, it creates a “blind spot” that attackers can exploit to move laterally through a network undetected.
Final Verdict and Remediation
The Wireshark team has stated they are currently unaware of any active exploitation of these flaws in the wild. However, the technical details are now public, significantly lowering the barrier for potential bad actors.
Action Required: It is strongly recommend that all network administrators, threat hunters, and forensic analysts upgrade to Wireshark 4.6.5 immediately. This is a vital step in ensuring that the very tools you use to secure your network do not become the gateway for its compromise.