The well-known open-source network protocol analyzer Wireshark has released version 4.6.4, which fixes important security flaws and improves stability. For security analysts, network engineers, and developers working with untrusted capture files or live traffic, this update is crucial because it fixes denial-of-service (DoS) threats and crashes in important protocol dissectors. The release, which is kept up to date by the nonprofit Wireshark Foundation, addresses three recently discovered CVEs that could cause the program to crash or run out of resources while analyzing corrupted packets.

These defects mainly impact USB HID, RF4CE Profile, and NTS-KE protocol dissectors, which could interfere with analysis processes in telecom, enterprise, or forensic settings. Beyond security, it fixes operational bugs such as crashes in TShark/editcap with BLF files and Npcap startup problems on hardened Windows systems.

Important CVE Information CVE ID Affected Component Description Impact Severity (CVSS) Improperly managed sequential memory allocation during crafted USB HID traffic parsing has been fixed in Version CVE-2026-3201 USB HID dissector. 4.6.4 CVE-2026-3202 NTS-KE dissector NULL pointer dereference when processing malformed Network Time Security key establishment traffic, memory exhaustion, and DoS High (7.5). DoS High (7.5) 4.6.4 Application crash, CVE-2026-3203 RF4CE When malformed RF4CE traffic was being dissected, a profile dissector crash occurred.

Unbounded memory allocations during processing specially crafted packets cause application crash and loss of analysis session Medium (6.5) 4.6.4 CVE-2026-3201 in the USB HID dissector, which results in DoS and exhaustion. Malicious PCAP files distributed in phishing campaigns or compromised devices, which are frequently used in incident response or red-team exercises, could be used by attackers to take advantage of this.

A NULL pointer dereference in NTS-KE causes Wireshark to crash when key exchange payloads are malformed (CVE-2026-3202). Time-sensitive network monitoring, like secure NTP deployments or the Internet of Things, is impacted by this. Segmentation errors during dissection are caused by the third vulnerability, CVE-2026-3203, which affects the RF4CE Profile dissector used for Zigbee-like wireless protocols.

It stops sessions and puts data loss in live captures at risk, but it is not worthy of remote code execution. Fixing Wireshark's inability to start in Npcap's admin-only mode—which is essential for Windows endpoints that are locked down—is one of the operational improvements. The ability of TShark and editcap to handle Binary Logging Format (BLF) files without segfaults stabilizes automated pipelines in SIEM or CI/CD integrations. Performance adjustments fix TDS dissector desyncs, Expert Info quadratic slowdowns, and IKEv2 decoding failures for EMERGENCY_CALL_NUMBERS.

Fuzzing resistance is strengthened by improved capture support for BLF, pcapng, and TTL formats. In order to ensure compatibility with contemporary traces, updated protocols include Art-Net, BGP, IEEE 802.11, IPv6, ISAKMP, MySQL, NAS-5GS, Socks, USB HID, and Zigbee clusters. Security teams should update right away to version 4.6.4, which can be downloaded from the official website.

Updates can be pulled by Linux users using distribution packages (e.g., apt update && apt upgrade wireshark). Use the provided checksums to confirm integrity. Enable ASLR/DEP, limit Wireshark to sandboxed environments for untrusted files, and keep an eye out for unusual memory usage in high-risk configurations. The Wireshark Foundation recommends using their bug tracker to report problems.

Given that dissectors continue to be popular targets for fuzz-derived exploits, this release emphasizes the necessity of promptly patching protocol analysis tools. X and LinkedIn to Receive More Real-Time Updates.

Make ZeroOwl your Google Preferred Source.