The Wireshark Foundation has rolled out a crucial security update for its widely used network protocol analyzer, addressing multiple vulnerabilities that could lead to denial-of-service conditions.
The latest release, version 4.6.1, specifically targets flaws discovered in the Bundle Protocol version 7 (BPv7) and Kafka dissectors. These vulnerabilities, if left unpatched, allow attackers to forcibly crash the application by injecting malicious data into a network stream or a trace file.
Dissector Crashes Expose Users to Denial of Service
The core of the recent security advisory focuses on how Wireshark parses specific network protocols. Security researchers identified a significant flaw in the BPv7 dissector, tracked as wnpa-sec-2025-05, which affects version 4.6.0.
A similar vulnerability was discovered in the Kafka dissector, designated wnpa-sec-2025-06, impacting version 4.6.0 as well as 4.4.x branch ranging from 4.4.0 to 4.4.10.
| Advisory ID | Component | Vulnerability Type | Impact | Affected Versions | Fixed Version |
|---|---|---|---|---|---|
| wnpa-sec-2025-05 | BPv7 Dissector | NULL Pointer Dereference / Crash | Denial of Service (DoS) | 4.6.0 | 4.6.1 |
| wnpa-sec-2025-06 | Kafka Dissector | Memory Corruption / Crash | Denial of Service (DoS) | 4.6.0, 4.4.0 – 4.4.10 | 4.6.1, 4.4.11 |
In both scenarios, the mechanism for exploitation involves the injection of a malformed packet. Attackers can trigger these crashes either by transmitting a specially crafted packet onto a live network interface that Wireshark is monitoring or by convincing a target analyst to open a compromised packet trace file.
While the Wireshark team discovered these issues during internal testing and is currently unaware of active exploitation in the wild, the potential for disruption remains high for security operations centers (SOCs) and network administrators who rely on the tool for continuous monitoring.
Beyond the primary security patches, the maintenance release resolves a variety of stability issues that hindered protocol analysis. Significant corrections were applied to the L2CAP dissector, which previously failed to correctly interpret retransmission modes, and the DNS HIP dissector, which erroneously labeled PK algorithms as HIT lengths.
The development team also addressed a crash in TShark triggered by Lua plugins and resolved a specific issue where the application would stall when selecting messages.
Further improvements include fixes for the TCP dissector, creating invalid packet diagrams, and corrections for LZ4-compressed output file write failures. Users working with complex network environments will benefit from the resolved conflict between endian.h and libc during plugin builds.
The update also ensures that UDP Port 853 is correctly decoded as QUIC (DoQ) and restores functionality for Omnipeek files that were previously incompatible with version 4.6.0.
| Issue ID | Component | Description |
|---|---|---|
| Issue 2241 | L2CAP Dissector | Corrected logic; the dissector now properly understands retransmission mode. |
| Issue 20768 | DNS HIP Dissector | Fixed a labeling error where the PK algorithm was incorrectly identified as HIT length. |
| Issue 20776 | Build System | Resolved aclang-clcompilation error inpacket-zbee-direct.c. |
| Issue 20779 | File I/O | Addressed a failure when writing to an LZ4-compressed output file. |
| Issue 20786 | Plugins | Fixed a conflict betweenendian.handlibcwhen building plugins. |
| Issue 20794 | TShark | Resolved a crash caused by Lua plugins. |
| Issue 20797 | UI Performance | Fixed an issue where Wireshark stalled for several seconds when selecting specific messages. |
| Issue 20802 | TLS Dissector | Corrected handling of TLS Abbreviated Handshakes using New Session Tickets. |
| Issue 20803 | WebSocket | Fixed a bug where custom WebSocket dissectors failed to run. |
| Issue 20813 | DCERPC Dissector | Resolved a dissector bug inpacket-dcerpc.ctriggered byWINREG QueryValue. |
| Issue 20817 | Lua API | Fixed a crash inFileHandlerwhen reading packets. |
| Issue 20818 | Filter Engine | FixedApply As FilterforFT_NONE/BASE_NONEfields (single byte) to correctly use hex values. |
| Issue 20819 | UI Layout | Resolved a problem in “Pane 3” preference layout when selecting “Packet Diagram” or “None”. |
| Issue 20820 | TCP Dissector | Fixed the creation of invalid packet diagrams. |
| Issue 20831 | File Format | Fixed an issue with too many nested VLAN tags when opening as File Format. |
| Issue 20842 | File Support | Restored support for Omnipeek files, which was broken in version 4.6.0. |
| Issue 20845 | IsoBus Dissector | Added support for UTF-16 strings in string operations. |
| Issue 20849 | SNMP Dissector | Corrected filtering forgetBulkRequestrequest-IDs. |
| Issue 20852 | Fuzz Testing | Addressed a specific fuzz job issue (fuzz-2025-11-12-12064814316.pcap). |
| Issue 20856 | QUIC/DoQ | Ensure UDP Port 853 (DoQ) is correctly decoded as QUIC. |
Network administrators and security analysts should prioritize upgrading to Wireshark 4.6.1 or 4.4.11 immediately. The update is available for download directly from the Wireshark Foundation’s website or through respective package managers for Linux and Unix distributions.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
