Wireshark 4.6.5 has patched four critical code execution vulnerabilities CVE-2026-5402 TLS Dissector CVE-2026-5403 SBC Codec CVE-2026-5405 RDP Dissector and CVE-2026-5656 Profile Import. A malicious packet or poisoned packet file could have compromised the security analysts system. Update immediately the patch was released on April 30, 2026.
For security analysts and network engineers, Wireshark is the tool they blindly rely on to capture traffic scan packets and find threats. But now the very tool used to find threats has become a serious threat itself.
Wireshark released version 4.6.5 on April 30, 2026 patching four specific vulnerabilities with the potential to lead to arbitrary code execution CVE-2026-5402 in the TLS Dissector CVE-2026-5403 in the SBC Codec CVE-2026-5405 in the RDP Dissector and CVE-2026-5656 in Profile Import all with the exploitation vector being maliciously malformed packets.
This was not just a simple crash it was a scenario where a security analyst was working opened a packet file, and the attackers code was executed on their system without any warning. Understand this irony the person who was supposed to be saved from threats and himself became the target of attack.
The nature of truly alarming about this set of vulnerabilities is that Wireshark is often run with elevated privileges in enterprise environments and SOCs. These vulnerabilities are particularly dangerous because Wireshark is routinely run with elevated privileges in enterprise and SOC environments and an attacker could trigger the exploit in two ways first by injecting specially crafted packets while on the same network segment without any authentication or prior access and second by embedding malicious packets in a compromised packet capture file and tricking a security analyst into opening that file.
The second method is more dangerous because packet capture files are often shared within teams sent over email and uploaded to cloud storage meaning a single poisoned PCAP file could reach thousands of systems without anyone noticing. Both CVE-2026-5403 and CVE-2026-5405 have a CVSS score of 7.8 High attack Complexity is LOW and privilegesRequired is NONE meaning exploitation was not technically difficult.
TLS RDP & SBC Trusted Protocols Under Microscope
These vulnerabilities were not just found in some obscure or rarely used protocol they were found in the protocols that are the backbone of everyday enterprise networks. CVE-2026-5402 is a heap overflow vulnerability in the TLS Dissector that affects versions 4.6.0 through 4.6.4 TLS traffic is used in over 90% of the worlds web communications which meaning even analyzing normal HTTPS traffic on Wireshark was theoretically at risk.
CVE-2026-5403 in SBC Codec affected audio communication protocols, and CVE-2026-5405 in RDP Dissector allowed crashes and code execution when processing Remote Desktop Protocol packets the same RDP that IT administrators use daily for remote server management.
CVE-2026-5656 was in Profile Import meaning an attacker could create and share a malicious Wireshark profile file which would then execute the code when an analyst imported it. This is a particularly sneaky attack vector because Wireshark profiles are often used by experienced analysts to share their configurations.
Version 4.6.5 also patched not just code execution flaws dozens of denial-of-service vulnerabilities. CVE-2026-5407 in the SMB2 dissector created an infinite loop via malformed SMB2 traffic, and dissectors for ubiquitous protocols like HTTP, ICMPv6, MySQL and WebSocket GSM RP were also vulnerable to DoS.
Compression mechanisms like zlib and LZ77 decompression were also vulnerable to crashes. These engine level flaws affect any protocol using compressed payloads, substantially broadening the attack surface. These loop based flaws are especially problematic in automated traffic capture pipelines where Wireshark runs unattended.
A single malformed packet could permanently halt analysis. An interesting detail is that the Wireshark team noted that some of the discoveries in this patch batch were due to AI assisted vulnerability reporting which accelerated simultaneous discovery across multiple protocol modules a new shift in vulnerability research methodology.
Reality Check Not Just a Routine Update
These Wireshark vulnerabilities once again highlight an uncomfortable truth security tools themselves are attack surfaces. The Wireshark team confirmed that there are no confirmed cases of active exploitation of these vulnerabilities in the wild yet but public disclosure necessitates immediate action especially by organizations that run Wireshark in live capture or SIEM integrated modes.
Think about it a SOC analyst doing their work examines a suspicious PCAP file related to an incident response case and that file itself is a weapon. This is not a theoretical scenario this is the exact attack chain that CVE-2026-5656 and the TLS dissector flaws enable.
Those using the Wireshark 4.4.x series are also affected versions 4.4.0 to 4.4.14 are vulnerable to these flaws and should update to 4.4.15 while those using the 4.6.x series should immediately switch to 4.6.5.
Immediate updating should be the number one priority right now. Download the latest version from the official Wireshark Foundation website verify deployed versions and especially in automated capture environments and SIEM-integrated deployments, and be extra cautious when sharing Wireshark profiles or PCAP files with anyone on your team until everyone is on updated versions.
This vulnerability sets an important reminder that blindly trusting security tools and no matter how reputable is never a safe practice. The tools you use to find threats should themselves be regularly audited. Wireshark released a quick patch and the team handled it responsibly. Now the ball is in your court.
