Multiple Wireshark Flaws Allow Remote Code Execution via Malformed Packets

The Wireshark Foundation has released version 4.6.5 of its widely used network protocol analyzer, patching more than 40 security vulnerabilities, including several critical flaws that could allow arbitrary code execution.

This update comes amid a surge in AI-assisted vulnerability discovery, significantly increasing the volume and complexity of reported issues.

Security experts warn that some of these vulnerabilities go beyond traditional denial-of-service (DoS) risks, potentially enabling attackers to take control of systems by analyzing malicious traffic.

Critical Code Execution Flaws

Among the patched issues, four vulnerabilities stand out due to their severity and potential exploitation impact:

• CVE-2026-5402 affects the TLS dissector and involves a heap overflow vulnerability in versions 4.6.0 through 4.6.4.
• CVE-2026-5403 targets the SBC audio codec dissector, enabling crashes that could lead to the execution of untrusted code.
• CVE-2026-5405 impacts the RDP dissector, where malformed data can trigger crashes and possible code execution.
• CVE-2026-5656 resides in the profile import feature, allowing attackers to execute malicious code through crafted configuration files.

These vulnerabilities stem from improper handling of malformed packets and unsafe parsing of protocol data.

When Wireshark processes specially crafted input, it may trigger memory corruption issues such as heap overflows, opening the door for exploitation.

Attackers can exploit these flaws through two primary methods:

• Sending maliciously crafted packets over a network being actively monitored by Wireshark.
• Embedding malformed packets within a packet capture (PCAP) file and tricking analysts into opening it.

For example, a threat actor could distribute a seemingly legitimate PCAP file during an incident investigation.

Once opened in a vulnerable Wireshark version, the embedded payload could execute arbitrary code within the analyst’s system context.

This makes the vulnerabilities particularly dangerous for security professionals, threat hunters, and SOC teams who routinely analyze untrusted network data.

In addition to code execution risks, Wireshark 4.6.5 addresses numerous DoS vulnerabilities affecting widely used protocols, including SMB2, HTTP, ICMPv6, and MySQL. These flaws can lead to infinite loops, application hangs, or crashes during packet analysis.

Compression-related components such as zlib and LZ77 decompression were also found vulnerable to crashes when processing malformed data streams.

While DoS vulnerabilities are less severe than remote code execution, they can still disrupt critical monitoring operations in enterprise environments.

The Wireshark team has stated that there is currently no evidence of active exploitation in the wild. However, given the public disclosure and technical details of these vulnerabilities, threat actors may attempt to weaponize them quickly.

Organizations relying on Wireshark for network analysis should treat this update as a high priority.

Security teams are strongly advised to upgrade to Wireshark version 4.6.5 immediately. Additional best practices include:

• Avoid opening untrusted or externally sourced PCAP files without validation.
• Use sandboxed environments for analyzing suspicious network captures.
• Monitor systems for unusual behavior during packet analysis sessions.

The patched version is available for download from the official Wireshark website. Prompt action will help reduce exposure to these critical vulnerabilities and ensure continued safe network analysis operations.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Multiple Wireshark Flaws Allow Remote Code Execution via Malformed Packets appeared first on Cyber Security News.