Back to Intelligence

Wireshark 4.6.5: Patching 38 Vulnerabilities in Network Protocol Dissectors

SA
Security Arsenal Team
May 3, 2026
4 min read

The Wireshark development team has released version 4.6.5, a critical security update addressing 43 vulnerabilities, including 38 assigned CVEs. As the world's most popular network protocol analyzer, Wireshark is ubiquitous across Security Operations Centers (SOCs), IR labs, and engineering environments. This release is not a routine maintenance update; it represents a significant cumulative patch to the application's core packet parsing capabilities, specifically targeting flaws in protocol dissectors.

Introduction: The Analyst's Achilles Heel

For security practitioners, Wireshark is the lens through which we view network traffic. However, this visibility comes with risk: Wireshark parses complex, untrusted data from potentially malicious actors. A vulnerability in a "dissector"—the component that decodes specific protocols—can turn a defensive investigation into a compromise. When an analyst opens a malicious packet capture (.pcap, .pcapng), a malformed packet can trigger a buffer overflow or denial-of-service condition.

With 38 CVEs addressed in this release, the attack surface is substantial. If your organization runs Wireshark versions prior to 4.6.5, your analysts and engineers are vulnerable to potential code execution (RCE) simply by performing their duties. This is particularly urgent if Wireshark is run with elevated privileges (e.g., sudo on Linux or Administrator on Windows), which is often required for packet capture on production interfaces.

Technical Analysis

Affected Products:

  • Product: Wireshark (Stable Release 4.6.x series)
  • Vulnerable Versions: All versions prior to 4.6.5
  • Platform: Cross-platform (Windows, Linux, macOS)

CVE and Severity Metrics: While the specific CVSS scores for all 38 CVEs were not detailed in the immediate advisory, historical data on Wireshark dissector flaws typically rates them as High to Critical. These vulnerabilities often allow arbitrary code execution or application crashes.

Vulnerability Mechanics: The vulnerabilities reside in the "dissectors" responsible for parsing specific network protocols. The attack chain is straightforward but highly effective against analysts:

  1. Delivery: An attacker sends a malicious .pcap file via email, phishing, or hosts it on a network share mimicking legitimate traffic logs.
  2. Trigger: A defender or engineer opens the file in Wireshark to investigate.
  3. Exploitation: The vulnerable dissector attempts to parse a malformed packet field.
  4. Impact: Memory corruption leads to a crash (DoS) or, in worst-case scenarios, allows execution of arbitrary code with the privileges of the Wireshark process.

Exploitation Status: While the release notes do not explicitly confirm active exploitation in the wild at this time, the utility of Wireshark makes it a prime target for "analyst-hunting" campaigns. Given the high volume of CVEs, PoC (Proof of Concept) code is likely to emerge rapidly for various dissectors.

Detection & Response

Detecting vulnerable instances of Wireshark in your environment is a critical hygiene step. Since Wireshark is a client-side tool often used manually, traditional EDR telemetry might miss it unless it is actively scanning the network. The following rules and queries help identify endpoints where Wireshark is installed, allowing your vulnerability management team to enforce the 4.6.5 update immediately.

Sigma Rules

YAML
---
title: Potential Wireshark Installation on Windows
id: 8c7d9f12-3a45-4b5c-8e1d-2f3a4b5c6d7e
status: experimental
description: Detects execution of Wireshark on Windows endpoints to identify assets requiring patch verification to 4.6.5.
references:
  - https://www.wireshark.org/docs/relnotes/wireshark-4.6.5.html
author: Security Arsenal
date: 2024/05/05
tags:
  - attack.resource-development
  - attack.t1588.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\wireshark.exe'
      - '	shark.exe'
  condition: selection
falsepositives:
  - Legitimate network analysis by authorized staff
level: low
---
title: Wireshark Execution on Linux
id: 9d8e0a21-4b56-5c6d-9f2e-3a4b5c6d7e8f
status: experimental
description: Detects execution of Wireshark CLI or GUI on Linux/Unix endpoints to identify assets requiring patch verification to 4.6.5.
references:
  - https://www.wireshark.org/docs/relnotes/wireshark-4.6.5.html
author: Security Arsenal
date: 2024/05/05
tags:
  - attack.resource-development
  - attack.t1588.001
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith:
      - '/wireshark'
      - '/tshark'
  condition: selection
falsepositives:
  - Legitimate network analysis by authorized staff
level: low


**KQL (Microsoft Sentinel / Defender)**
KQL — Microsoft Sentinel / Defender
// Hunt for Wireshark execution to build an inventory of assets for patching
DeviceProcessEvents
| where FileName in~ ("wireshark.exe", "tshark.exe", "wireshark", "tshark")
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessVersion
| distinct DeviceName, ProcessVersion, FolderPath
| order by Timestamp desc


**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for Wireshark binaries on Linux endpoints to check versions
SELECT FullPath, Mtime, Size
FROM glob(globs='/usr/bin/wireshark', globs='/usr/bin/tshark', globs='/usr/local/bin/wireshark')
WHERE Mtime < timestamp(
penetration-testingred-teamoffensive-securityexploitvulnerability-researchwiresharkvulnerability-managementnetwork-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action