Wireshark, the world’s most widely used open-source network protocol analyzer, has released a major security update addressing over 40 vulnerabilities, several of which enable arbitrary code execution through malformed packet injection or malicious capture files.
Organizations and individuals relying on Wireshark for network monitoring, forensics, and traffic analysis should update immediately to Wireshark 4.6.5.
Critical Code Execution Flaws
The most severe vulnerabilities in this release carry the potential for remote code execution (RCE), moving beyond simple denial-of-service impact. Four dissectors and parsers were found susceptible:
- TLS Dissector (CVE-2026-5402) — A crash with possible code execution when parsing malformed TLS traffic (wnpa-sec-2026-14)
- SBC Codec (CVE-2026-5403) — A crash with possible code execution in the SBC audio codec processor (wnpa-sec-2026-16)
- RDP Dissector (CVE-2026-5405) — A crash with possible code execution when dissecting Remote Desktop Protocol packets (wnpa-sec-2026-17)
- Profile Import (CVE-2026-5656) — A crash with possible code execution triggered during profile import operations (wnpa-sec-2026-21)
These vulnerabilities are particularly dangerous because Wireshark is routinely run with elevated privileges in enterprise and SOC environments, meaning successful exploitation could grant attackers significant system access.
Denial-of-Service via Dissector Crashes
A large portion of the patched flaws cause application crashes when specific protocol dissectors process malformed or adversarially crafted packets. Affected dissectors span a wide range of protocols:
- Monero (CVE-2026-5409), BT-DHT (CVE-2026-5408), FC-SWILS (CVE-2026-5406), ICMPv6 (CVE-2026-5299)
- AFP (CVE-2026-5401), K12 RF5 file parser (CVE-2026-5404), AMR-NB codec (CVE-2026-5654)
- SDP (CVE-2026-5655), iLBC audio codec (CVE-2026-5657, CVE-2026-6529), DCP-ETSI (CVE-2026-5653, CVE-2026-6530)
- BEEP (CVE-2026-6538), ZigBee (CVE-2026-6537), Kismet (CVE-2026-6532)
- ASN.1 PER (CVE-2026-6527), RTSP (CVE-2026-6526), IEEE 802.11 (CVE-2026-6525)
- MySQL (CVE-2026-6524), GSM RP (CVE-2026-6870), WebSocket (CVE-2026-6869), HTTP (CVE-2026-6868)
An attacker on the same network segment can trigger these crashes by injecting specially crafted packets, requiring no authentication or prior access to the target system.
Infinite Loop and Resource Exhaustion
Several vulnerabilities cause infinite loops, effectively hanging Wireshark and consuming system resources in a sustained denial-of-service condition:
- SMB2 Dissector (CVE-2026-5407) — Infinite loop via malformed SMB2 traffic (wnpa-sec-2026-11)
- DLMS/COSEM (CVE-2026-6536), USB HID (CVE-2026-6534), SANE (CVE-2026-6531)
- GNW (CVE-2026-6523), OpenFlow v5 (CVE-2026-6521), OpenFlow v6 (CVE-2026-6520)
- MBIM (CVE-2026-6519), RPKI-Router (CVE-2026-6522), TLS Dissector (CVE-2026-6528)
These loop-based flaws are especially problematic in automated traffic capture pipelines where Wireshark runs unattended, as a single malformed packet can permanently halt analysis.
Decompression Engine Vulnerabilities
Two low-level vulnerabilities target Wireshark’s core dissection engine rather than individual protocol parsers:
- zlib Decompression Crash (CVE-2026-6535) — Impacts Issues #21097 and #21098, where malformed compressed payloads corrupt the decompression pipeline (wnpa-sec-2026-26)
- LZ77 Decompression Crash (CVE-2026-6533) — A crash triggered by malformed LZ77-compressed data during packet dissection (wnpa-sec-2026-28)
These engine-level flaws affect any protocol using compressed payloads, substantially broadening the attack surface beyond specific protocol dissectors.
| Component | Vulnerability Type | CVE Examples |
|---|---|---|
| TLS, RDP, SBC, Profile Import | Crash + Possible Code Execution | CVE-2026-5402, 5403, 5405, 5656 |
| SMB2, TLS, MBIM, OpenFlow | Infinite Loop / DoS | CVE-2026-5407, 6528, 6519, 6521 |
| Multiple Dissectors (20+) | Dissector Crash / DoS | CVE-2026-5299 through CVE-2026-6870 |
| Dissection Engine | zlib/LZ77 Decompression Crash | CVE-2026-6535, CVE-2026-6533 |
The Wireshark team notes this batch of fixes is partly attributed to AI-assisted vulnerability reporting, which accelerated discovery across many protocol modules simultaneously. Users are strongly advised to update to the latest patched release of Wireshark 4.6.5 immediately via the official Wireshark download page.
Organizations running Wireshark in live capture or SIEM-integrated modes should treat this update as a critical priority, given the code execution potential in TLS, RDP, and SBC components.