The Wireshark Foundation has released version 4.6.5 of its widely used network protocol analyzer, addressing a massive wave of security vulnerabilities.
This urgent update patches over 40 distinct security flaws, driven by a recent surge in AI-assisted vulnerability reports. The most critical bugs in this release allow for possible arbitrary code execution, elevating the risk beyond typical denial-of-service (DoS) crashes.
Critical Code Execution Flaws
Among the extensive list of patches, four specific vulnerabilities stand out for their potential to enable arbitrary code execution. These flaws reside in the way Wireshark dissects specific protocols and handles certain file formats:
- CVE-2026-5402 (TLS Dissector): A heap overflow vulnerability within the Transport Layer Security (TLS) protocol dissector affects versions 4.6.0 to 4.6.4.
- CVE-2026-5403 (SBC Codec): The SBC audio codec dissector contains a severe crash vulnerability that could allow attackers to execute untrusted code.
- CVE-2026-5405 (RDP Dissector): The Remote Desktop Protocol (RDP) dissector is vulnerable to a crash that could also lead to arbitrary code execution.
- CVE-2026-5656 (Profile Import): A vulnerability in Wireshark’s profile import functionality can trigger a crash and potentially execute malicious code.
In all these scenarios, the primary exploitation vector involves maliciously malformed packets. Threat actors can exploit these vulnerabilities by intentionally crafting network packets with altered data fields that Wireshark’s dissectors fail to process safely.
When Wireshark attempts to parse unexpected input, it can trigger memory corruption, such as heap overflows.
Attackers can trigger these exploits in two primary ways. First, they can transmit the specially crafted packets across a live network that a target is actively monitoring with Wireshark.
Second, they can embed the malicious packets into a compromised packet capture file and trick a security analyst into opening it. Once processed, the malformed data allows arbitrary code execution within the context of the Wireshark application.
Additional Denial of Service Flaws
Alongside code-execution threats, version 4.6.5 fixes dozens of denial-of-service vulnerabilities. These include infinite loops and fatal crashes in dissectors for ubiquitous protocols such as SMB2, HTTP, ICMPv6, and MySQL.
Furthermore, compression mechanisms such as zlib and LZ77 decompression were found to be vulnerable to crashes. While less severe than code execution, these DoS flaws can still severely disrupt security operations centers (SOCs) that rely heavily on continuous network monitoring.
The Wireshark team is currently unaware of any active exploitation of these vulnerabilities in the wild. However, given the public disclosure of these flaws and the potential for severe impact, immediate action is required.
Network administrators, threat hunters, and security analysts must upgrade to Wireshark 4.6.5 immediately. The update is available for download directly from the Wireshark Foundation’s official website.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
