The Wireshark Foundation released Wireshark 4.6.6 on May 25, 2026, patching two security vulnerabilities in protocol dissectors that could allow an attacker to crash a security analyst’s active network monitoring session — or potentially trigger memory corruption — by placing crafted packets on a network segment the analyst is capturing.
wnpa-sec-2026-51: ROHC Dissector Crash Triggered via Malformed Packet Injection
The first vulnerability, assigned wnpa-sec-2026-51, resides in Wireshark’s dissector for the Robust Header Compression (ROHC) protocol. ROHC is used in telecommunications and enterprise networks to reduce the overhead of IP, UDP, and TCP headers on bandwidth-constrained links. A threat actor who can introduce specially malformed ROHC-compressed packets onto a network segment under active Wireshark capture can trigger an unhandled crash in the dissector, terminating the analyst’s monitoring session. The impact is classified as a denial of service against the monitoring environment itself.
How the ROHC Crash Disrupts Wireshark Incident Response Captures
The threat model for a dissector crash vulnerability is most acute during live incident response. When a security analyst deploys Wireshark to investigate an active intrusion, the attacker whose activity is being observed is simultaneously present on the same network segment. A malicious actor aware that packet capture is underway could craft and inject ROHC-malformed packets specifically designed to terminate the analyst’s Wireshark session — disrupting the investigation at the moment the monitoring tool is most critical. A crash can also cause Wireshark to drop buffered capture data, forcing the analyst to restart without a continuous packet log and potentially losing evidence of attacker activity that occurred in the window before the crash.
Issue 21235: MACsec Dissector Buffer Overflow During IEEE 802.1AE Frame Parsing
The second vulnerability, reported as Issue 21235, affects Wireshark’s dissector for MACsec (IEEE 802.1AE), the standard for encrypting Ethernet traffic at the MAC layer. During the parsing of MACsec-secured frames, the dissector triggers a global buffer overflow — a memory safety failure in which data is written beyond the boundaries of an allocated memory region. MACsec is deployed in enterprise switching environments and telecommunications infrastructure to provide link-layer confidentiality between network devices, making it a common protocol in the environments where Wireshark is used most extensively.
Why a Global Buffer Overflow in the MACsec Dissector Carries Code Execution Risk
Global buffer overflows in widely deployed software have a documented history of escalating beyond crash-level denial of service to arbitrary code execution, depending on memory layout and the degree to which an attacker can control overflowed content. The Wireshark Foundation characterized Issue 21235 as creating a memory safety risk that could theoretically be exploited for code execution in addition to crash-level impact. No proof-of-concept exploit or active exploitation chain has been confirmed. Organizations running Wireshark on segments that carry MACsec-secured traffic — particularly live enterprise switching infrastructure or telecommunications backhaul — represent the highest-priority environment for this update given that the vulnerability can be triggered by traffic present in normal network operation.
Fuzz Testing Surfaced Both Flaws Before External Exploitation
Both vulnerabilities were identified through fuzz testing campaigns conducted in May 2026 — a method of automated software testing that feeds mutated or randomly generated inputs to an application to surface unexpected crashes or memory errors before external actors can discover and weaponize the same code paths. Neither vulnerability had been observed in active exploitation at the time of the 4.6.6 release, and no confirmed exploitation-in-the-wild reports were filed before publication.
Wireshark 4.6.6 also bundles Npcap 1.88 and resolves more than a dozen stability issues affecting Windows installations. Wireshark is the most widely deployed network protocol analyzer in global use, appearing in security operations centers, incident response teams, network engineering workflows, and penetration testing environments. The combination of a crash-capable ROHC flaw and a memory-corruption-capable MACsec flaw makes the 4.6.6 update a priority for any team running Wireshark in environments where it captures traffic from hostile, untrusted, or externally reachable network segments.
