Key Takeaways
- Wireshark 4.6.7 is a maintenance update for the stable 4.6 branch, delivering security patches, protocol enhancements, parser improvements, and bug fixes.
- The release resolves multiple vulnerabilities that could cause crashes, excessive CPU usage, memory corruption, or information disclosure when processing malformed packet captures.
- Expanded support for dozens of networking protocols (e.g., SSH, IEEE 802.11 Wi‑Fi, H.265, DCERPC variants) and capture formats (pcapng, Android Logcat, BLF, etc.) improves reliability in enterprise, telecom, media, and industrial environments.
- Memory‑safety fixes address heap buffer overflows, use‑after‑free conditions, and memory leaks discovered through fuzz testing and community reports.
- Although no active exploitation is known, upgrading is strongly recommended for anyone analyzing untrusted or external captures to mitigate denial‑of‑service risks and ensure accurate protocol decoding.
What is Wireshark?
Wireshark is the world’s most widely used network protocol analyzer, employed for troubleshooting, development, education, and security investigations. It captures live traffic, applies filters to isolate relevant packets, and visualizes packet contents and conversation streams. Administrators, developers, malware analysts, penetration testers, and forensic teams rely on Wireshark to monitor network behavior, diagnose issues, and uncover malicious activity across a broad range of industries.
Focus on Stability and Security
While work on the next‑generation 4.8 branch continues, version 4.6.7 serves as an important maintenance release for production environments that depend on the stable series. The update refines protocol dissectors—components that interpret thousands of networking protocols and file formats—addressing defects uncovered by fuzz testing, bug reports, and security research. Although none of the patched flaws are currently known to be exploited in the wild, the nature of packet‑analysis software means that specially crafted capture files could still be weaponized to crash the application or consume excessive resources, making timely updates a prudent defensive measure.
Expanded Protocol Support
A major portion of 4.6.7 refreshes protocol decoding capabilities. Support has been improved for a wide array of protocols, including ALC, BACapp, C2P, Catapult DCT2000, COTP, CSN.1, DCERPC (and its MAPI/NSPI variants), DNS, DVB‑S2‑TABLE, eDonkey, Ethernet POWERLINK (EPL), Fibre Channel ELS, FMP/NOTIFY, H.265 (HEVC), HiPerConTracer, IEEE 802.11 Wi‑Fi, LLS, MEGACO, MIH, MPEG DSM‑CC, MS‑WSP, RELOAD, SGP.32, SSH, STANAG 4607, UMTS FP, WOWW, and Z39.50. These updates enhance decoding accuracy, eliminate parsing inconsistencies, and ensure compatibility with newer implementations found in telecom, media‑streaming, industrial control, and enterprise networks.
Capture File Support Receives Improvements
Beyond protocol dissectors, the release updates handling of several capture and logging formats. Enhanced compatibility now exists for Android Logcat, BLF (Binary Logging Format), DBS Etherwatch, Netlog, and the pcapng format. The continued refinement of pcapng support is especially significant, as pcapng has become the preferred successor to the legacy PCAP format due to its ability to store interface information, comments, timestamps, metadata, and multiple capture streams within a single file. These changes help ensure that traces collected from modern operating systems, automotive systems, embedded devices, industrial equipment, and network appliances can be opened and analyzed more reliably.
Multiple Security Vulnerabilities Patched
Perhaps the most critical aspect of 4.6.7 is the resolution of numerous security issues throughout the codebase. Patched vulnerabilities include infinite‑loop conditions in several protocol dissectors, information disclosure in the BLF parser, a large‑loop flaw in the FMP/NOTIFY dissector, use‑after‑free memory corruption in the Ethernet POWERLINK (EPL) dissector, multiple parser crashes, heap corruption scenarios, buffer overflows, and heap buffer‑over‑read conditions. For example, CVE‑2026‑15163 fixes infinite‑loop bugs affecting MIH, MPEG DSM‑CC, eDonkey, and MEGACO dissectors, which could force Wireshark into endless parsing loops and cause denial‑of‑service via excessive CPU consumption. CVE‑2026‑15171 addresses a crash in the SSH dissector triggered by malformed captures, while CVE‑2026‑15166 resolves an IEEE 802.11 Wi‑Fi dissector vulnerability that could crash the application when processing malicious packets.
Crash Fixes Across Multiple Components
In addition to security patches, 4.6.7 eliminates numerous stability problems reported by users and identified through automated testing. Resolved crashes involve the Catapult DCT2000 protocol dissector, SSH dissector, TLS Encrypted Client Hello (ECH) decryption, pcapng parser, DBS Etherwatch parser, CiscoDump extcap interface, UMTS FP dissector, IEEE 802.11 dissector, and Z39.50 dissector. The release also corrects parsing failures affecting BACapp traffic and addresses several issues uncovered by continuous fuzz testing aimed at finding malformed input capable of destabilizing the application.
Memory Corruption and Parser Improvements
Memory safety remains a focal point for the Wireshark project. Version 4.6.7 removes multiple memory‑related defects, including a heap buffer overflow in the Android Logcat parser, a heap‑buffer‑overflow read in the ws_strptime() function, buffer overflows and segmentation faults within the Catapult DCT2000 dissector, a use‑after‑free condition in the Ethernet POWERLINK dissector, memory leaks discovered during sample‑capture processing, and a HEAP_CORRUPTION crash linked to the recent_common configuration file. Developers also corrected an unusual protocol identification issue where IPv6 ping traffic from Debian systems was mistakenly labeled as HiPerConTracer traffic. While many of these issues may not affect typical users, they substantially improve robustness when processing malformed, corrupted, or intentionally malicious captures common during malware investigations and vulnerability research.
Continued Hardening Through Fuzz Testing
Like many mature open‑source security tools, Wireshark increasingly relies on continuous fuzz testing and coordinated vulnerability disclosure to discover defects before attackers can exploit them. Throughout the 4.6 release cycle, the project has expanded its vulnerability‑remediation efforts, with each maintenance update addressing parser crashes, infinite loops, memory‑safety bugs, and protocol‑specific weaknesses uncovered via automated testing and independent security research. Given Wireshark’s extensive protocol coverage and its routine processing of untrusted network captures, ongoing hardening is essential to preserving its reputation as the industry’s leading packet‑analysis platform.
Complete List of Fixes
The release notes enumerate a large number of resolved issues, ranging from functional bugs to security‑related flaws. Examples include: incorrect language display (German UI when system language is Dutch), Qt capture filter combo‑box sizing problems, BACapp parsing errors, use‑after‑free in the EPL dissector during profile loading, sponsor‑slide display issues, buffer over‑low/segfault in the Catapult DCT2000 dissector, various fuzz‑job‑induced crashes, memory leaks in specific sample files, heap‑buffer‑overflow in the Logcat parser, misidentification of Debian IPv6 pings as HiPerConTracer, H.265 dissector bit‑offset errors, heap‑buffer‑overflow in ws_strptime when processing time literals, HEAP_CORRUPTION errors when using the last saved recent_common file, and additional fuzz‑job‑related crashes. While the full list is extensive, the overarching theme is improved reliability and security across the codebase.
Plugin Development Changes
On UNIX‑like systems (excluding macOS when running from an app bundle), the default search path for extcap binaries has shifted to the libexec directory (e.g., /usr/libexec/wireshark/extcap) rather than lib64 or similar locations. This aligns with the customary placement for helper binaries that do not require multiarch support. The location can be overridden via the WIRESHARK_EXTCAP_DIR environment variable. The official Wireshark extcap binaries are installed in the new location, but third‑party extcaps may need adjustments to their packaging. Note that distributions lacking a libexec directory (such as Alpine Linux) should retain the previous placement.
Upgrade Recommended
Wireshark 4.6.7 is immediately available for Windows, Linux, and macOS via the project’s standard distribution channels. Organizations running any version from 4.6.0 through 4.6.6 are advised to upgrade as soon as practical to obtain the latest protocol improvements, parser reliability enhancements, and security fixes. Although no active exploitation has been reported for the addressed vulnerabilities, updating reduces the risk of crashes or denial‑of‑service conditions caused by maliciously crafted packet captures and ensures analysts have the most accurate protocol decoding available.
Getting Help
Users can consult the User’s Guide, manual pages, and other documentation at https://www.wireshark.org/docs/. Community support is offered through Wireshark’s Q&A site and the wireshark‑users mailing list. Bugs and feature requests should be submitted via the issue tracker, and those interested in deeper protocol analysis can attend SharkFest events to meet developers and learn from peers. Regularly checking the release notes and staying current with updates remains the best practice for maintaining a secure and reliable network‑analysis environment.

