The latest Wireshark 4.6.7 maintenance release addresses twelve security vulnerabilities that could affect users analyzing network traffic. Since packet captures processed in Wireshark pass through numerous protocol dissectors, malformed packets or capture files can trigger unexpected software behavior. The update strengthens security by fixing issues across several protocol parsers, including Catapult DCT2000, SSH, IEEE 802.11, and other components involved in packet analysis.Â
Wireshark Security Fixes Cover Multiple Protocol DissectorsÂ
Most of the twelve patched vulnerabilities involve software crashes caused by crafted packets or capture files. These flaws could force protocol dissectors to read beyond allocated memory or access invalid memory locations, causing Wireshark to terminate unexpectedly.Â
The affected components include dissectors for Catapult DCT2000, SSH, IEEE 802.11, Z39.50, and UMTS FP. Security updates also cover the pcapng capture file reader and the DBS Etherwatch file parser, reducing risks when opening specially crafted capture files.Â
Some vulnerabilities functioned differently from memory-related crashes. The FMP/NOTIFY dissector could enter a lengthy processing loop when handling specific inputs, while another advisory grouped several dissectors capable of becoming stuck in infinite loops. Additionally, the BLF file parser contained an information disclosure issue that could expose data beyond the intended memory boundaries in decoded output. Separate crash vulnerabilities were also resolved in the TLS ECH decryption path and the CiscoDump extcap helper.Â
Additional Bug Fixes Improve Wireshark StabilityÂ
Alongside the security updates, Wireshark 4.6.7 resolves sixteen non-security bugs affecting stability and usability.Â
One significant fix addresses a use-after-free issue in the Ethernet POWERLINK dissector that occurred during a profile-loading error. Another eliminates a heap-buffer-overflow in the Android Logcat parser.Â
The release also resolves several user-facing issues. Systems configured for Dutch were incorrectly displaying the Wireshark interface in German. An IPv6 ping generated by Debian and some other operating systems was mistakenly identified as HiPerConTracer traffic.Â
Developers also corrected a problem in the HEVC video dissector, where certain packets were incorrectly marked as malformed due to an improper bit offset advancement. Another fix prevents heap corruption that could crash the application when loading the most recent saved recent_common file.Â
Updated extcap Binary Location for Plugin DevelopersÂ
The release also documents a packaging change introduced in Wireshark 4.6.0 that was previously left out of the official release notes. On UNIX-like systems, Wireshark now searches for extcap helper binaries in the libexec directory by default, such as /usr/libexec/wireshark/extcap. This location aligns with the standard placement for helper executables that do not require the multiarch handling used for shared libraries.Â
The bundled extcap utilities already use the updated directory, although third-party extcap packages may require adjustments to remain compatible. Developers can override the default search path by setting the WIRESHARK_EXTCAP_DIR environment variable. The documentation also notes that distributions without a libexec directory, including Alpine Linux, will continue using the previous binary location.Â
