Over 40 vulnerabilities patched in Wireshark 4.6.5 include RCE-capable flaws in TLS, RDP, and SBC dissectors that can be triggered by malformed network packets.
Wireshark, the world’s most widely used open-source network protocol analyzer, has released a major security update addressing over 40 vulnerabilities, several of which enable arbitrary code execution through malformed packet injection or malicious capture files. Organizations relying on Wireshark for network monitoring, forensics, and traffic analysis should update immediately to version 4.6.5.
The most severe vulnerabilities carry potential for remote code execution. Critical flaws include CVE-2026-5402 (TLS dissector crash with possible code execution), CVE-2026-5403 (SBC audio codec processor), CVE-2026-5405 (RDP dissector), and CVE-2026-5656 (profile import). These are particularly dangerous because Wireshark is routinely run with elevated privileges in enterprise and SOC environments, meaning successful exploitation could grant attackers significant system access.
A large portion of the patched flaws cause application crashes when specific protocol dissectors process malformed packets, spanning protocols including Monero, BT-DHT, ICMPv6, AFP, ZigBee, IEEE 802.11, MySQL, WebSocket, and HTTP. An attacker on the same network segment can trigger these crashes by injecting specially crafted packets, requiring no authentication or prior access. Several vulnerabilities also cause infinite loops, permanently hanging Wireshark in automated capture pipelines.
Two low-level vulnerabilities target Wireshark’s core dissection engine: zlib decompression crash (CVE-2026-6535) and LZ77 decompression crash (CVE-2026-6533), affecting any protocol using compressed payloads. The Wireshark team noted this batch of fixes was partly attributed to AI-assisted vulnerability reporting, which accelerated discovery across many protocol modules simultaneously.
Source: Cyber Security News — Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Cod
