The Wireshark Foundation has released version 4.4.4 of its widely used network protocol analyzer, addressing a high-severity vulnerability that could allow attackers to trigger denial-of-service (DoS) conditions by injecting malicious packets.
The update resolves CVE-2025-1492, a flaw in the Bundle Protocol and CBOR dissectors that caused crashes, infinite loops, and memory leaks when processing specially crafted network traffic.
This marks the fourth security patch in the 4.4.x series, underscoring the persistent risks associated with protocol analysis tools in network security.
CVE-2025-1492 scored 7.8 (High) on the CVSS v3.1 scale, affecting Wireshark versions 4.4.0 through 4.4.3 and 4.2.0 through 4.2.10.
Attackers exploiting this vulnerability could disrupt network troubleshooting, analysis, and monitoring by overwhelming systems with malformed packets.
The flaw resides in how Wireshark’s dissectors parse Bundle Protocol (used in delay-tolerant networking) and CBOR (Concise Binary Object Representation) data structures.
Successful exploitation crashes the application, halting critical network diagnostics and potentially enabling broader service interruptions.
According to the Wireshark security advisory (wnpa-sec-2025-01), the vulnerability was discovered through automated fuzz testing, a method that injects invalid or random data into software to uncover instability.
This aligns with historical patterns where protocol dissector modules that decode network traffic have been prime targets for DoS attacks. For example, past vulnerabilities in Bluetooth, Radiotap, and AVDTP dissectors (CVE-2018-16056, CVE-2018-16057, CVE-2018-16058) similarly allowed crashes via malformed packets or trace files.
Wireshark 4.4.4 Released
The 4.4.4 release not only fixes CVE-2025-1492 but also addresses 13 additional bugs, including interface regressions, DNS query handling errors, and JA4 fingerprint inaccuracies.
Users are urged to upgrade immediately, as the vulnerability requires no authentication or user interaction beyond packet injection a feasible attack vector in both local and remotely accessible networks. Enterprise environments relying on Wireshark for network forensics or intrusion detection are particularly at risk, as prolonged downtime could obscure ongoing breaches.
Wireshark’s maintainers emphasized the importance of updating all instances, noting, “Malicious packet injection remains a persistent threat to network analysis tools. This patch reinforces dissector stability to prevent exploitation of edge-case scenarios”6. The foundation also recommended validating capture files from untrusted sources and employing network segmentation to limit exposure to malicious traffic9.
This update continues Wireshark’s long-standing battle against dissector-related vulnerabilities. In 2024 alone, the project resolved 15 security advisories, including infinite loops in MONGO and ZigBee TLV dissectors (wnpa-sec-2024-07) and crashes in HTTP3 decoding (wnpa-sec-2024-03).
The latest release also follows significant architectural shifts, such as migrating to Lua 5.4 and adopting zlib-ng for faster compression, which introduced compatibility risks now being ironed out in minor updates.
Despite these hurdles, Wireshark remains indispensable for network professionals, with over 80% of enterprises relying on it for traffic analysis according to industry surveys.
Wireshark 4.4.4 is available for Windows, macOS, and Linux via the official website and package managers. Organizations using automated deployment tools should prioritize this update, while security teams should monitor for anomalous packet patterns indicative of exploitation attempts.
As a precaution, the Wireshark Foundation advises against running the tool with elevated privileges and suggests using firewalls to restrict capture interfaces to authorized personnel.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here