{"id":12540,"date":"2026-05-01T10:04:09","date_gmt":"2026-05-01T10:04:09","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/01\/critical-wireshark-vulnerabilities-let-attackers-execute-arbitrary-code-via-malformed-packets\/"},"modified":"2026-05-01T10:04:09","modified_gmt":"2026-05-01T10:04:09","slug":"critical-wireshark-vulnerabilities-let-attackers-execute-arbitrary-code-via-malformed-packets","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/01\/critical-wireshark-vulnerabilities-let-attackers-execute-arbitrary-code-via-malformed-packets\/","title":{"rendered":"Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed Packets"},"content":{"rendered":"<p>    Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed Packets<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p><a href=\"https:\/\/cybersecuritynews.com\/nmap-vs-wireshark\/\" target=\"_blank\" rel=\"noreferrer noopener\">Wireshark<\/a>, the world\u2019s most widely used open-source network protocol analyzer, has released a major security update addressing over 40 vulnerabilities, several of which enable arbitrary code execution through malformed packet injection or malicious capture files.<\/p>\n<p>Organizations and individuals relying on Wireshark for network monitoring, forensics, and traffic analysis should update immediately to Wireshark 4.6.5.<\/p>\n<h2 class=\"wp-block-heading\" id=\"critical-code-execution-flaws\"><strong>Critical Code Execution Flaws<\/strong><\/h2>\n<p>The most severe vulnerabilities in this release carry the potential for remote code execution (RCE), moving beyond simple denial-of-service impact. Four dissectors and parsers were found susceptible:<\/p>\n<ul class=\"wp-block-list\">\n<li>TLS Dissector (CVE-2026-5402) \u2014 A crash with possible code execution when parsing malformed TLS traffic (wnpa-sec-2026-14)<\/li>\n<li>SBC Codec (CVE-2026-5403) \u2014 A crash with possible code execution in the SBC audio codec processor (wnpa-sec-2026-16)<\/li>\n<li>RDP Dissector (CVE-2026-5405) \u2014 A crash with possible code execution when dissecting Remote Desktop Protocol packets (wnpa-sec-2026-17)<\/li>\n<li>Profile Import (CVE-2026-5656) \u2014 A crash with possible code execution triggered during profile import operations (wnpa-sec-2026-21)<\/li>\n<\/ul>\n<p>These vulnerabilities are particularly dangerous because Wireshark is routinely run with elevated privileges in <a href=\"https:\/\/cybersecuritynews.com\/web3-developer-environments-targeted-by-social-engineering-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">enterprise and SOC environments<\/a>, meaning successful exploitation could grant attackers significant system access.<\/p>\n<h2 class=\"wp-block-heading\" id=\"denial-of-service-via-dissector-crashes\"><strong>Denial-of-Service via Dissector Crashes<\/strong><\/h2>\n<p>A large portion of the patched flaws cause application crashes when specific protocol dissectors process malformed or adversarially crafted packets. Affected dissectors span a wide range of protocols:<\/p>\n<ul class=\"wp-block-list\">\n<li>Monero (CVE-2026-5409), BT-DHT (CVE-2026-5408), FC-SWILS (CVE-2026-5406), ICMPv6 (CVE-2026-5299)<\/li>\n<li>AFP (CVE-2026-5401), K12 RF5 file parser (CVE-2026-5404), AMR-NB codec (CVE-2026-5654)<\/li>\n<li>SDP (CVE-2026-5655), iLBC audio codec (CVE-2026-5657, CVE-2026-6529), DCP-ETSI (CVE-2026-5653, CVE-2026-6530)<\/li>\n<li>BEEP (CVE-2026-6538), ZigBee (CVE-2026-6537), Kismet (CVE-2026-6532)<\/li>\n<li>ASN.1 PER (CVE-2026-6527), RTSP (CVE-2026-6526), IEEE 802.11 (CVE-2026-6525)<\/li>\n<li>MySQL (CVE-2026-6524), GSM RP (CVE-2026-6870), WebSocket (CVE-2026-6869), HTTP (CVE-2026-6868)<\/li>\n<\/ul>\n<p>An attacker on the same network segment can trigger these crashes by injecting specially crafted packets, requiring no authentication or prior access to the target system.<\/p>\n<h2 class=\"wp-block-heading\" id=\"infinite-loop-and-resource-exhaustion\"><strong>Infinite Loop and Resource Exhaustion<\/strong><\/h2>\n<p>Several vulnerabilities cause infinite loops, effectively hanging Wireshark and consuming system resources in a sustained denial-of-service condition:<\/p>\n<ul class=\"wp-block-list\">\n<li>SMB2 Dissector (CVE-2026-5407) \u2014 Infinite loop via malformed SMB2 traffic (wnpa-sec-2026-11)<\/li>\n<li>DLMS\/COSEM (CVE-2026-6536), USB HID (CVE-2026-6534), SANE (CVE-2026-6531)<\/li>\n<li>GNW (CVE-2026-6523), OpenFlow v5 (CVE-2026-6521), OpenFlow v6 (CVE-2026-6520)<\/li>\n<li>MBIM (CVE-2026-6519), RPKI-Router (CVE-2026-6522), TLS Dissector (CVE-2026-6528)<\/li>\n<\/ul>\n<p>These loop-based flaws are especially problematic in automated traffic capture pipelines where Wireshark runs unattended, as a single malformed packet can permanently halt analysis.<\/p>\n<h2 class=\"wp-block-heading\" id=\"decompression-engine-vulnerabilities\"><strong>Decompression Engine Vulnerabilities<\/strong><\/h2>\n<p>Two low-level vulnerabilities target Wireshark\u2019s core dissection engine rather than individual protocol parsers:<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>zlib Decompression Crash (CVE-2026-6535)<\/strong> \u2014 Impacts Issues #21097 and #21098, where malformed compressed payloads corrupt the decompression pipeline (wnpa-sec-2026-26)<\/li>\n<li>\n<strong>LZ77 Decompression Crash (CVE-2026-6533)<\/strong> \u2014 A crash triggered by malformed LZ77-compressed data during packet dissection (wnpa-sec-2026-28)<\/li>\n<\/ul>\n<p>These engine-level flaws affect any protocol using compressed payloads, substantially broadening the attack surface beyond specific protocol dissectors.<\/p>\n<h2 class=\"wp-block-heading\" id=\"affected-versions--remediation\"><strong>Affected Versions &amp; Remediation<\/strong><\/h2>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Component<\/th>\n<th>Vulnerability Type<\/th>\n<th>CVE Examples<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>TLS, RDP, SBC, Profile Import<\/td>\n<td>Crash + Possible Code Execution<\/td>\n<td>CVE-2026-5402, 5403, 5405, 5656<\/td>\n<\/tr>\n<tr>\n<td>SMB2, TLS, MBIM, OpenFlow<\/td>\n<td>Infinite Loop \/ DoS<\/td>\n<td>CVE-2026-5407, 6528, 6519, 6521<\/td>\n<\/tr>\n<tr>\n<td>Multiple Dissectors (20+)<\/td>\n<td>Dissector Crash \/ DoS<\/td>\n<td>CVE-2026-5299 through CVE-2026-6870<\/td>\n<\/tr>\n<tr>\n<td>Dissection Engine<\/td>\n<td>zlib\/LZ77 Decompression Crash<\/td>\n<td>CVE-2026-6535, CVE-2026-6533<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>The Wireshark team notes this batch of fixes is partly attributed to AI-assisted vulnerability reporting, which accelerated discovery across many protocol modules simultaneously. Users are strongly advised to update to the latest patched release of Wireshark 4.6.5 immediately via the <a href=\"https:\/\/www.wireshark.org\/download.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">official Wireshark download page<\/a>.<\/p>\n<p>Organizations running Wireshark in live capture or SIEM-integrated modes should treat this update as a critical priority, given the code execution potential in TLS, RDP, and SBC components.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/wireshark-vulnerabilities-code-execution\/\">Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed Packets<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/wireshark-vulnerabilities-code-execution\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed Packets Wireshark, the world\u2019s most widely used open-source network protocol analyzer, has released a major security update addressing over 40 vulnerabilities, several of which enable arbitrary code execution through malformed packet injection or malicious capture files. Organizations and individuals relying on Wireshark for network monitoring, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-12540","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12540"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12540"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12540\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}