Wireshark update exposes packet analysis risks

Wireshark has issued version 4.6.5 after a large batch of security flaws was identified across its packet dissection engine, protocol parsers and file-handling components, underscoring the risk faced by administrators and security teams using the tool to inspect untrusted network traffic.

The release fixes more than 40 vulnerabilities, including several flaws that may allow arbitrary code execution when malformed packets, crafted trace files or malicious configuration profiles are processed. The update affects one of the world’s most widely used network protocol analysers, relied on by enterprise security operations centres, incident response teams, telecom engineers, researchers and software developers for traffic inspection and forensic analysis.

The highest-risk issues involve the TLS dissector, Remote Desktop Protocol dissector, SBC audio codec handling and profile import functionality. The TLS flaw, tracked as CVE-2026-5402, could lead to a crash and possible code execution while parsing malformed TLS traffic. Similar possible code execution risks were fixed in the SBC codec under CVE-2026-5403, the RDP dissector under CVE-2026-5405 and the profile import mechanism under CVE-2026-5656.

The profile import flaw differs from packet-triggered bugs because it requires a user to import a malformed configuration profile. That makes user interaction central to exploitation, but the risk remains material in environments where analysts exchange profiles, plugins and capture configurations. Packet-based flaws may be more concerning in live monitoring contexts because crafted traffic can be injected onto a network segment or embedded in a packet capture file opened later by an analyst.

Wireshark’s advisories state that affected 4.6. x versions before 4.6.5 are vulnerable, while many flaws also affect the 4.4. x long-term branch before 4.4.15. Users running Wireshark 4.6.0 to 4.6.4 or 4.4.0 to 4.4.14 face exposure across a wide set of modules, although some advisories apply only to the 4.6 branch. The recommended mitigation is to upgrade to 4.6.5 or, for users staying on the 4.4 line, to 4.4.15 where fixes are available.

The patched defects cover crashes, infinite loops, decompression failures, memory leaks and resource exhaustion. Affected components include dissectors for Monero, BT-DHT, FC-SWILS, SMB2, ICMPv6, AFP, AMR-NB, SDP, iLBC, DCP-ETSI, BEEP, ZigBee, DLMS/COSEM, USB HID, Kismet, SANE, ASN.1 PER, RTSP, IEEE 802.11, MySQL, GSM RP, WebSocket, HTTP, OpenFlow, MBIM, RPKI-Router and GNW. Core decompression handling for zlib and LZ77 payloads was also patched, widening the significance of the update beyond individual protocol modules.

Most of the flaws lead to denial-of-service conditions rather than confirmed code execution. A malformed packet can crash Wireshark, force an infinite loop or consume resources, disrupting investigations and automated capture workflows. For security teams, that can be more than a nuisance: a crash during live triage or malware traffic analysis may delay containment, erase analyst context or interrupt monitoring during an active incident.

The update also highlights a new pressure point for open-source security projects: AI-assisted vulnerability reporting. The large volume of findings appears to have been driven by automated or semi-automated testing methods that can rapidly exercise protocol parsers across edge cases. That has a dual effect. It helps maintainers locate latent defects at scale, but it also increases the burden of validation, triage and patch management for projects with limited maintainer resources.

Wireshark’s architecture makes such findings plausible because the application supports hundreds of protocols and file formats, many of them complex, legacy or rarely tested under hostile input conditions. Dissector bugs have long been a recurring security concern because packet analysers are built to parse data supplied by potentially hostile networks. Tools used by defenders often sit close to dangerous input, and their attack surface grows with every supported protocol.