Wireshark 4.6.5 Patches 40+ Flaws, Including RCE Vulnerabilities

Wireshark, the world’s most widely used open-source network protocol analyzer, has shipped a major security update patching over 40 vulnerabilities, several of which carry the potential for arbitrary code execution via malformed packet injection or weaponized capture files.

All users and organizations depending on Wireshark for network monitoring, traffic forensics, or packet analysis are urged to upgrade to Wireshark 4.6.5 without delay.

Code Execution Flaws

The most alarming findings in this release go beyond disruption. Four dissectors and parsers carry confirmed crash-with-possible-code-execution impact, making them prime candidates for exploitation in privileged environments:

• TLS Dissector (CVE-2026-5402) — A crash with possible code execution when parsing malformed TLS traffic (wnpa-sec-2026-14)
• SBC Codec (CVE-2026-5403) — A crash with possible code execution in the SBC audio codec processor (wnpa-sec-2026-16)
• RDP Dissector (CVE-2026-5405) — A crash with possible code execution when dissecting Remote Desktop Protocol packets (wnpa-sec-2026-17)
• Profile Import (CVE-2026-5656) — A crash with possible code execution triggered during profile import operations (wnpa-sec-2026-21)

These vulnerabilities are particularly dangerous because Wireshark is routinely run with elevated privileges in enterprise and SOC environments, meaning successful exploitation could grant attackers significant system access.

Denial-of-Service via Dissector Crashes

A large portion of the patched flaws cause application crashes when specific protocol dissectors process malformed or adversarially crafted packets.

Affected dissectors span a wide range of protocols, including Monero (CVE-2026-5409)

• BT-DHT (CVE-2026-5408), FC-SWILS (CVE-2026-5406), ICMPv6 (CVE-2026-5299), AFP (CVE-2026-5401), SDP (CVE-2026-5655)
• iLBC (CVE-2026-5657, CVE-2026-6529), ZigBee (CVE-2026-6537), IEEE 802.11 (CVE-2026-6525), MySQL (CVE-2026-6524).
• WebSocket (CVE-2026-6869), and HTTP (CVE-2026-6868), among others.

A threat actor positioned on the same network segment can trigger these crashes by injecting specially crafted packets, with no authentication or prior system access required.

Infinite Loop and Resource Exhaustion

Several vulnerabilities cause infinite loops, effectively hanging Wireshark and consuming system resources in a sustained denial-of-service condition.

Key affected components include the SMB2 Dissector (CVE-2026-5407), DLMS/COSEM (CVE-2026-6536), USB HID (CVE-2026-6534), OpenFlow v5/v6 (CVE-2026-6521, CVE-2026-6520), MBIM (CVE-2026-6519), and TLS Dissector (CVE-2026-6528).

In automated capture pipelines where Wireshark runs unattended, a single malformed packet can permanently stall the analysis workflow.

Decompression Engine Vulnerabilities

Two vulnerabilities strike Wireshark’s core dissection engine rather than individual protocol parsers a critical distinction that amplifies their scope:

• zlib Decompression Crash (CVE-2026-6535) — Malformed compressed payloads corrupt the decompression pipeline, impacting issues #21097 and #21098 (wnpa-sec-2026-26)
• LZ77 Decompression Crash (CVE-2026-6533) — A crash triggered by malformed LZ77-compressed data during packet dissection (wnpa-sec-2026-28)

Because these flaws sit at the engine level, any protocol that relies on compressed payloads becomes an attack vector, significantly expanding the exploitable surface beyond individual dissectors.

Affected Versions & Remediation

The Wireshark team credited AI-assisted vulnerability reporting as a key factor in accelerating discovery across multiple protocol modules simultaneously. Users should update to Wireshark 4.6.5 immediately through the official Wireshark download page.

Organizations running Wireshark in live capture or SIEM-integrated modes must treat this patch as a top priority, given the confirmed code-execution risk in TLS, RDP, and SBC components.