Wireshark 4.6.5 Release Notes

What is Wireshark?

Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education.

Wireshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol analysis education. Wireshark and the foundation depend on your contributions in order to do their work. If you or your organization would like to contribute or become a sponsor, please visit wiresharkfoundation.org.

If you use Wireshark professionally or you just want to learn more about protocol analysis, you should join us at SharkFest, the Wireshark developer and user conference.

You can also become a Wireshark Certified Analyst! Official Wireshark training and certification are available from the Wireshark Foundation.

What’s New

Bug Fixes

This release fixes quite a few vulnerabiliteis. This is due to to a recent trend in AI-assisted vulnerability reports.

wnpa-sec-2026-08 Monero dissector crash. Issue 21066. CVE-2026-5409.
wnpa-sec-2026-09 BT-DHT dissector crash. Issue 21067. CVE-2026-5408.
wnpa-sec-2026-10 FC-SWILS dissector crash. Issue 21070. CVE-2026-5406.
wnpa-sec-2026-11 SMB2 dissector infinite loop. Issue 21073. CVE-2026-5407.
wnpa-sec-2026-12 ICMPv6 dissector crash. Issue 21077. CVE-2026-5299.
wnpa-sec-2026-13 AFP dissector crash. Issue 21088. CVE-2026-5401.
wnpa-sec-2026-14 TLS dissector crash and possible code execution. Issue 21090. CVE-2026-5402.
wnpa-sec-2026-15 K12 RF5 file parser crash. Issue 21094. CVE-2026-5404.
wnpa-sec-2026-16 SBC codec crash and possible code execution. Issue 21103. CVE-2026-5403.
wnpa-sec-2026-17 RDP dissector crash and possible code execution. Issue 21105. CVE-2026-5405.
wnpa-sec-2026-18 AMR-NB codec crash. Issue 21111. CVE-2026-5654.
wnpa-sec-2026-19 SDP dissector crash. Issue 2111. CVE-2026-5655.
wnpa-sec-2026-20 iLBC audio codec crash. Issue 21113. CVE-2026-5657.
wnpa-sec-2026-21 Profile import crash and possible code execution. Issue 21115. CVE-2026-5656.
wnpa-sec-2026-22 DCP-ETSI protocol dissector crash. Issue 21122. CVE-2026-5653.
wnpa-sec-2026-23 BEEP protocol dissector crash. Issue 21120. CVE-2026-6538.
wnpa-sec-2026-24 ZigBee protocol dissector crash. Issue 21125. CVE-2026-6537.
wnpa-sec-2026-25 DLMS/COSEM protcol dissector infinite loop. Issue 21065. CVE-2026-6536.
wnpa-sec-2026-26 Dissection engine zlib decompression crash. Issue 21097, Issue 21098. CVE-2026-6535.
wnpa-sec-2026-27 USB HID protocol dissector infinite loop. Issue 21121. CVE-2026-6534.
wnpa-sec-2026-28 Dissection engine LZ77 decompression crash. Issue 21127. CVE-2026-6533.
wnpa-sec-2026-29 Kismet protocol dissector crash. Issue 21129, Issue 21128. CVE-2026-6532.
wnpa-sec-2026-30 SANE protocol dissector infinite loop. Issue 21139. CVE-2026-6531.
wnpa-sec-2026-31 DCP-ETSI protocol dissector crash. Issue 21144. CVE-2026-6530.
wnpa-sec-2026-32 iLBC audio codec crash. Issue 21145. CVE-2026-6529.
wnpa-sec-2026-33 TLS dissector infinite loop. Issue 21151. CVE-2026-6528.
wnpa-sec-2026-34 ASN.1 PER protocol dissector crash. Issue 21149. CVE-2026-6527.
wnpa-sec-2026-35 RTSP protocol dissector crash. Issue 21173. CVE-2026-6526.
wnpa-sec-2026-36 IEEE 802.11 protocol dissector crash. Issue 21008. CVE-2026-6525.
wnpa-sec-2026-37 MySQL protocol dissector crash. Issue 21172. CVE-2026-6524.
wnpa-sec-2026-38 GNW protocol dissector infinite loop. Issue 21177. CVE-2026-6523.
wnpa-sec-2026-39 OpenFlow v5 protocol dissector infinite loops. Issue 21182, Issue 21188. CVE-2026-6521.
wnpa-sec-2026-40 OpenFlow v6 protocol dissector infinite loop. Issue 21181. CVE-2026-6520.
wnpa-sec-2026-41 MBIM dissector infinite loop. Issue 21184. CVE-2026-6519.
wnpa-sec-2026-42 RPKI-Router protocol dissector infinite loop. Issue 21186. CVE-2026-6522.
wnpa-sec-2026-43 GSM RP protocol dissector crash. Issue 21189. CVE-2026-6870.
wnpa-sec-2026-44 WebSocket protocol dissector crash. Issue 21190. CVE-2026-6869.
wnpa-sec-2026-45 SMB2 protocol dissector crash. Issue 21191.
wnpa-sec-2026-46 HTTP protocol dissector crash. Issue 21185. CVE-2026-6868.
wnpa-sec-2026-47 Sharkd utility memory leak. Issue 21214.
wnpa-sec-2026-48 Sharkd utility crash. Issue 21206.
wnpa-sec-2026-49 Sharkd utility crash. Issue 21207.
wnpa-sec-2026-50 UDS protocol dissector infinite loop. Issue 21225.

The following bugs have been fixed:

WSUG: Enabled Protocols dialog needs an update. Issue 20871.
Build failure with Qt 6.11 beta. Issue 20965.
BLF: Missing 4 byte alignment makes BLF files incompatible with Vector’s tools. Issue 21017.
SMB2 decryption keys in smb2_seskey_list are not loaded on restart. Issue 21036.
Fuzz job issue: fuzz-2026-03-01-13307044520.pcap. Issue 21049.
Window with a message for ssh_strict_fopen. Issue 21051.
IEEE 1722.1 Dissector for Stream Input Counters displays FRAMES_RX as "Stream Packets TX" Issue 21055.
Wireshark 4.6.4 crashes. Issue 21058.
Compilation error with Lua-5.5. Issue 21060.
BSOD issue affecting Npcap 1.86. Issue 21062.
Adding descriptions to BLF interfaces broke the Capture File Properties view. Issue 21069.
Assertion Failure in ws_buffer_remove_start via Malformed Packet Manipulation. Issue 21078.
Modbus/RTU fails to decode broadcast frames. Issue 21091.
Lua not included unless CMake version >= 3.25. Issue 21093.
sshdump: Regression in v4.6.4 – Failed to resolve hostname aliases from .ssh/config on Windows. Issue 21114.
Fuzz job crash: fuzz-2026-03-25-13637733472.pcap. Issue 21117.
dumpcap TCP@ section-header parsing remote heap corruption. Issue 21132.
Netflix BBLog EVENT parsing crash. Issue 21133.
On Windows, the Follow Stream feature output is shown in proportional font after zooming. Issue 21137.
RTP Streams dialog Time of Day inconsistent behavior. Issue 21138.
Sysdig Event Block Integer Underflow. Issue 21140.
RF4CE NWK Dissector Heap Buffer Overflow (crash/OOB) Issue 21150.
NetXray/Sniffer Padding Integer Underflow. Issue 21152.
HTTP/2 ALTSVC/PRIORITY_UPDATE Frame Length Truncation (24-bit to 16-bit) Issue 21155.
Snort config parser 2 buffer overflows. Issue 21165.
ESP NULL Encryption Integer Underflow triggers Heap Overflow. Issue 21166.
Heap buffer overflow in ISO 8583 dissector bin2hex() Issue 21171.
wslua: NULL pointer dereference in get_dissector when passing an invalid GUID string to an FT_GUID table. Issue 21194.
Fuzz job UTF-8 encoding issue: fuzz-2026-04-16-13947406035.pcap. Issue 21199.
Qt: Waterfall bars misisng in conversation overview when "limit to display filter" is active. Issue 21204.
text2pcap: heap-buffer-overflow in memmove when -P"dissector" payload exceeds reserved space. Issue 21208.
text2pcap : Stack overflow via unbounded "g_alloca" in regex "seqno" Issue 21209.
editcap: --novlan integer underflow in sll_remove_vlan_info causes denial of service on short SLL captures. Issue 21210.
NAS-5GS - Mapping issue between IEI 0x7B and "S-NSSAI location validity information" IE. Issue 21218.
RTP-MIDI dissector reports incorrect value for MTC Quarter Frame data. Issue 21231.

New and Updated Features

The Windows installers now ship with Npcap 1.87. They previously shipped with Npcap 1.86.
The Windows installers now ship with Qt 6.10.3. They previously shipped with Qt 6.9.3.

New Protocol Support

There are no new protocols in this release.

Updated Protocol Support

AFP, AIN, ANSI_TCAP, ASAM CMP, ATN-ULCS, BEEP, BGP, BT HCI, BT HCI ISO, BT-DHT, CAMEL, ChargingASE, CMIP, COSEM, DAP, Darwin, DCP ETSI, DECT NR+, DISP, DMX, DNS, E1AP, E2AP, F1AP, FC-SWILS, Frame, FTAM, GLOW, GNW, GOOSE, GPRSCDR, GSM MAP, GSM RP, H.225.0, H.245, H.248, H.450, H.450.ROS, HNBAP, HTTP, HTTP2, ICMPv6, IDMP, IEEE 1609.2, IEEE 1722.1, IEEE 802.11, INAP, IPsec, IPv4, IPv6, ISAKMP, ISO 8583, ITS, JSON 3GPP, Kismet, LCSAP, LDAP, LPPa, M2AP, M3AP, MAS-5GS, MBIM, MMS, Modbus, Monero, MySQL, NBAP, NGAP, NRPPa, OpenFlow 1.4, OpenFlow 1.5, OpenVPN, P1, P22, P7, PCAP, Q932.ROS, QSIG, QUIC, RANAP, RCv3, RF4CE, RF4CE Profile, RNSAP, RPKI-Router, RRLP, RTPS, RUA, S1AP, SABP, SANE, SBcAP, SDP, SGP.22, Signal PDU, SMB2, SSH, T.38, TDSUDP, UDS, WebSocket, X2AP, X509CE, X509IF, X509SAT, XnAP, Z39.50, and ZBD

New and Updated Capture File Support

3gpp phone log, Android Logcat Binary, Android Logcat Text, Ascend, BLF, CAM Inspector, Catapult DCT2000, Cinco NetXray/Sniffer, CoSine IPSX L2, DBS Etherwatch, EyeSDN, HP-UX nettl, IBM iSeries, Ixia IxVeriWave, K12, Micropross mplog, MPEG2 transport stream, NetScaler, NetScreen, pcapng, pppd log, Sniffer, Systemd Journal, TCPIPtrace, Toshiba Compact ISDN Router, and Visual Networks

New and Updated File Format Decoding Support

There is no new or updated file format support in this release.

Plugin Development Changes

On UN*X systems (excluding macOS when running from an app bundle, as with the official installer) extcap binaries are now searched for under the libexec directory by default, e.g., /usr/libexec/wireshark/extcap instead of /usr/lib64/wireshark/extcap or similar. This is the customary place for helper binaries, which as opposed to libraries do not need multiarch support. The location can be overridden via the environment variable WIRESHARK_EXTCAP_DIR. The extcap binaries shipped with Wireshark are installed in the new location, but third party extcaps may need packaging changes. This change was effective in version 4.6.0, but was not explicitly noted in the release notes previously. Note that some distributions do not use a libexec directory, such as Alpine Linux, which does not have multilib support. On such systems extcap binaries should be in the same location as before.

Prior Versions

Wireshark 4.6.4 included the following changes. See the release notes for details:

wnpa-sec-2026-05 USB HID dissector memory exhaustion. Issue 20972. CVE-2026-3201.
wnpa-sec-2026-06 NTS-KE dissector crash. Issue 21000. CVE-2026-3202.
wnpa-sec-2026-07 RF4CE Profile dissector crash. Issue 21009. CVE-2026-3203.
Wireshark doesn’t start if Npcap is configured with "Restrict Npcap driver’s Access to Administrators only" Issue 20828.
PQC signature algorithm not reported in signature_algorithms. Issue 20953.
Unexpected JA4 ALPN values when space characters sent. Issue 20966.
Expert Info seems to have quadratic performance (gets slower and slower) Issue 20970.
IKEv2 EMERGENCY_CALL_NUMBERS Notify payload cannot be decoded. Issue 20974.
TShark and editcap fails with segmentation fault when output format (-F) set to blf. Issue 20976.
Fuzz job crash: fuzz-2026-02-01-12944805400.pcap [Zigbee Direct Tunneling Zigbee NWK PDUs NULL hash table] Issue 20977.
Wiretap writes pcapng custom options with string values invalidly. Issue 20978.
RDM status in Output Status (GoodOutputB) field incorrectly decoded in Art-Net PollReply dissector. Issue 20980.
Wiretap writes invalid pcapng Darwin option blocks. Issue 20991.
TDS dissector desynchronizes on RPC DATENTYPE (0x28) due to incorrect expectation of TYPE_VARLEN (MaxLen) Issue 21001.
Only first HTTP POST is parsed inside SOCKS with "Decode As". Issue 21006.
TShark: Bogus "Dissector bug" messages generated in pipelines where something after tshark exits before reading all its input. Issue 21011.
New Diameter RAT-Types in TS 29.212 not decoded. Issue 21012.
Malformed packet error on Trigger HE Basic frames. Issue 21032.

Wireshark 4.6.3 included the following changes. See the release notes for details:

wnpa-sec-2026-01 BLF file parser crash. Issue 20880.
wnpa-sec-2026-02 IEEE 802.11 dissector crash. Issue 20939.
wnpa-sec-2026-03 SOME/IP-SD dissector crash. Issue 20945.
wnpa-sec-2026-04 HTTP3 dissector infinite loop. Issue 20944.
Wireshark 4.6.0 build fails on Solaris: pcapio.c:441:21: error: request for member '_flag' in something not a structure or union. Issue 20773.
RTP Player streams cannot be stopped. Issue 20879.
Additional ABI/API compatibility fixes. Issue 20881.
Missing data in pinfo→cinfo in HomePlug message CM_ATTEN_CHAR.IND. Issue 20893.
maxmind_db: crash when switching from a profile where it’s disabled to one where it’s enabled. Issue 20903.
Compilation warning or error if CFLAGS defines _FORTIFY_SOURCE to other than 3 without first undefining it. Issue 20904.
IEEE 802.11: Incorrect parsing of QoS and Mesh Control Field when the frame body contains an A-MSDU. Issue 20905.
OSS-Fuzz 473164101: Heap-buffer-overflow in dissect_idn_laser_data. Issue 20936.
Bug in decoding 5G NAS message - Extended CAG information list IE. Issue 20946.

Wireshark 4.6.2 included the following changes. See the release notes for details:

This release fixes an API/ABI change that was introduced in Wireshark 4.6.1, which caused a compatibility issue with plugins built for Wireshark 4.6.0. Issue 20881.

wnpa-sec-2025-07 HTTP3 dissector crash. Issue 20860.
wnpa-sec-2025-08 MEGACO dissector infinite loop. Issue 20884.
ws_base32_decode should be named *_encode ? Issue 20754.
Omnipeek files not working in 4.6.1. Issue 20876.
Stack buffer overflow in wiretap/ber.c (ber_open) Issue 20878.
Plugins incompatibility between 4.6.0 & 4.6.1. Issue 20881.
Fuzz job crash: fuzz-2025-11-30-12266121180.pcap. Issue 20883.
The Windows installers now ship with the Visual C++ Redistributable version 14.44.35112. They previously shipped with 14.40.33807.

Wireshark 4.6.1 included the following changes. See the release notes for details:

wnpa-sec-2025-05 BPv7 dissector crash. Issue 20770.
wnpa-sec-2025-06 Kafka dissector crash. Issue 20823.
L2CAP dissector doesn’t understand retransmission mode. Issue 2241.
DNS HIP dissector labels PK algorithm as HIT length. Issue 20768.
clang-cl error in "packet-zbee-direct.c" Issue 20776.
Writing to an LZ4-compressed output file might fail. Issue 20779.
endian.h conflics with libc for building plugins. Issue 20786.
TShark crash caused by Lua plugin. Issue 20794.
Wireshark stalls for a few seconds when selecting specific messages. Issue 20797.
TLS Abbreviated Handshake Using New Session Ticket. Issue 20802.
Custom websocket dissector does not run. Issue 20803.
WINREG QueryValue triggers dissector bug in packet-dcerpc.c. Issue 20813.
Lua: FileHandler causing crash when reading packets. Issue 20817.
Apply As Filter for field with FT_NONE and BASE_NONE for a single byte does not use the hex value. Issue 20818.
Layout preference Pane 3 problem with selecting Packet Diagram or None. Issue 20819.
TCP dissector creates invalid packet diagram. Issue 20820.
Too many nested VLAN tags when opening as File Format. Issue 20831.
Omnipeek files not working in 4.6.0. Issue 20842.
Support UTF-16 strings in the IsoBus dissector for the string operations. Issue 20845.
SNMP getBulkRequest request-id does not get filtered for correctly. Issue 20849.
Fuzz job issue: fuzz-2025-11-12-12064814316.pcap. Issue 20852.
UDP Port 853 (DoQ) should be decoded as QUIC. Issue 20856.

Wireshark 4.6.0 included the following changes. See the release notes for details:

Wireshark can dissect process information, packet metadata, flow IDs, drop information, and other information provided by tcpdump on macOS.

We now ship universal macOS installers instead of separate packages for Arm64 and Intel. Issue 17294

WinPcap is no longer supported. On Windows, use Npcap instead, uninstalling WinPcap if necessary. The final release of WinPcap was version 4.1.3 in 2013. It only supports up to Windows 8, which is no longer supported by Microsoft or Wireshark.

A new “Plots” dialog has been added, which provides scatter plots in contrast to the “I/O Graphs” dialog, which provides histograms. The Plots dialog window supports multiple plots, markers, and automatic scrolling.

Live captures can be compressed while writing. (Previously there was support for compressing when performing multiple file capture, at file rotation time.) The --compress option in TShark works on live captures as well. Issue 9311

Wireshark can now decrypt NTP packets using NTS (Network Time Security). To decrypt packets, the NTS-KE (Network Time Security Key Establishment Protocol) packets need to be present, alongside the TLS client and exporter secrets.

Wireshark’s ability to decrypt MACsec packets has been expanded to either use the SAK unwrapped by the MKA dissector, or the PSK configured in the MACsec dissector.

The TCP Stream Graph axes now use units with SI prefixes. Issue 20197

Display filter functions float and double are added to allow explicitly converting field types like integers and times to single and double precision floats.

A Edit › Copy › as HTML menu item has been added, along with associated context menu items and a keyboard shortcut.

The Conversations and Endpoints dialogs have an option to display byte counts and bit rates in exact counts instead of human-readable numbers with SI units.

The color scheme can be set to Light or Dark mode independently of the current OS default on Windows and macOS, if Wireshark is built with Qt 6.8 or later as the official installers are. Issue 19328

Getting Wireshark

Wireshark source code and installation packages are available from https://www.wireshark.org/download.html.

Vendor-supplied Packages

Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.

File Locations

Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use Help › About Wireshark › Folders or tshark -G folders to find the default locations on your system.

Getting Help

The User’s Guide, manual pages and various other documentation can be found at https://www.wireshark.org/docs/

Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the mailing list site.

Bugs and feature requests can be reported on the issue tracker.

You can learn protocol analysis and meet Wireshark’s developers at SharkFest.

How You Can Help

The Wireshark Foundation helps as many people as possible understand their networks as much as possible. You can find out more and donate at wiresharkfoundation.org.

Frequently Asked Questions

A complete FAQ is available on the Wireshark web site.