CyberSecurity News

Critical Wireshark Flaws Allow Code Execution via Malformed

Wireshark, the world’s most widely used open-source network protocol analyzer, has issued a critical security update. This release addresses over 40 vulnerabilities, with several enabling...

Jennifer sherman
Jennifer sherman
May 1, 2026 3 Min Read
0 0

Wireshark, the world’s most widely used open-source network protocol analyzer, has issued a critical security update. This release addresses over 40 vulnerabilities, with several enabling arbitrary code execution. Attackers could exploit these flaws via malformed packet injection or malicious capture files.

Table Of Content

Organizations and individuals relying on Wireshark for network monitoring, forensics, and traffic analysis should update immediately to Wireshark 4.6.5.

Critical Code Execution Flaws

The most severe vulnerabilities in this release carry the potential for remote code execution (RCE), moving beyond simple denial-of-service impact. Four dissectors and parsers were found susceptible:

  • TLS Dissector (CVE-2026-5402) — A crash with possible code execution when parsing malformed TLS traffic (wnpa-sec-2026-14)
  • SBC Codec (CVE-2026-5403) — A crash with possible code execution in the SBC audio codec processor (wnpa-sec-2026-16)
  • RDP Dissector (CVE-2026-5405) — A crash with possible code execution when dissecting Remote Desktop Protocol packets (wnpa-sec-2026-17)
  • Profile Import (CVE-2026-5656) — A crash with possible code execution triggered during profile import operations (wnpa-sec-2026-21)

These vulnerabilities are particularly dangerous because Wireshark is routinely run with elevated privileges in enterprise and SOC environments, meaning successful exploitation could grant attackers significant system access.

Denial-of-Service via Dissector Crashes

A large portion of the patched flaws cause application crashes when specific protocol dissectors process malformed or adversarially crafted packets. Affected dissectors span a wide range of protocols:

  • Monero (CVE-2026-5409), BT-DHT (CVE-2026-5408), FC-SWILS (CVE-2026-5406), ICMPv6 (CVE-2026-5299)
  • AFP (CVE-2026-5401), K12 RF5 file parser (CVE-2026-5404), AMR-NB codec (CVE-2026-5654)
  • SDP (CVE-2026-5655), iLBC audio codec (CVE-2026-5657, CVE-2026-6529), DCP-ETSI (CVE-2026-5653, CVE-2026-6530)
  • BEEP (CVE-2026-6538), ZigBee (CVE-2026-6537), Kismet (CVE-2026-6532)
  • ASN.1 PER (CVE-2026-6527), RTSP (CVE-2026-6526), IEEE 802.11 (CVE-2026-6525)
  • MySQL (CVE-2026-6524), GSM RP (CVE-2026-6870), WebSocket (CVE-2026-6869), HTTP (CVE-2026-6868)

An attacker on the same network segment can trigger these crashes by injecting specially crafted packets, requiring no authentication or prior access to the target system.

Infinite Loop and Resource Exhaustion

Several vulnerabilities cause infinite loops, effectively hanging Wireshark and consuming system resources in a sustained denial-of-service condition:

  • SMB2 Dissector (CVE-2026-5407) — Infinite loop via malformed SMB2 traffic (wnpa-sec-2026-11)
  • DLMS/COSEM (CVE-2026-6536), USB HID (CVE-2026-6534), SANE (CVE-2026-6531)
  • GNW (CVE-2026-6523), OpenFlow v5 (CVE-2026-6521), OpenFlow v6 (CVE-2026-6520)
  • MBIM (CVE-2026-6519), RPKI-Router (CVE-2026-6522), TLS Dissector (CVE-2026-6528)

These loop-based flaws are especially problematic in automated traffic capture pipelines where Wireshark runs unattended, as a single malformed packet can permanently halt analysis.

Decompression Engine Vulnerabilities

Two low-level vulnerabilities target Wireshark’s core dissection engine rather than individual protocol parsers:

  • zlib Decompression Crash (CVE-2026-6535) — Impacts Issues #21097 and #21098, where malformed compressed payloads corrupt the decompression pipeline (wnpa-sec-2026-26)
  • LZ77 Decompression Crash (CVE-2026-6533) — A crash triggered by malformed LZ77-compressed data during packet dissection (wnpa-sec-2026-28)

These engine-level flaws affect any protocol using compressed payloads, substantially broadening the attack surface beyond specific protocol dissectors.

Affected Versions & Remediation

Component Vulnerability Type CVE Examples
TLS, RDP, SBC, Profile Import Crash + Possible Code Execution CVE-2026-5402, 5403, 5405, 5656
SMB2, TLS, MBIM, OpenFlow Infinite Loop / DoS CVE-2026-5407, 6528, 6519, 6521
Multiple Dissectors (20+) Dissector Crash / DoS CVE-2026-5299 through CVE-2026-6870
Dissection Engine zlib/LZ77 Decompression Crash CVE-2026-6535, CVE-2026-6533

The Wireshark team notes this batch of fixes is partly attributed to AI-assisted vulnerability reporting, which accelerated discovery across many protocol modules simultaneously. Users are strongly advised to update to the latest patched release of Wireshark 4.6.5 immediately via the official Wireshark download page.

Organizations running Wireshark in live capture or SIEM-integrated modes should treat this update as a critical priority, given the code execution potential in TLS, RDP, and SBC components.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts