Wireshark 4.6.1: patch your DFIR workstations—two dissector crash bugs fixed

November 26, 2025 (Last Modified: November 26, 2025)

4n6 Beat

3 min read

On November 19, 2025, Wireshark 4.6.1 and 4.4.11 shipped fixes for BPv7 and Kafka dissector crashes. Here’s the IR-ready rundown, what to...

Wireshark 4.6.1 and 4.4.11 shipped on November 19, 2025 with fixes for two dissector crash issues; installers for Windows and macOS plus source are available now (Wireshark news). The patched issues are BPv7 (Bundle Protocol v7) and Kafka dissectors that could crash when parsing crafted traffic or trace files (wnpa-sec-2025-05, wnpa-sec-2025-06). Wireshark notes discovery during internal testing and no known in-the-wild exploitation, but a crash during triage still means lost analyst time and potentially missed signal (BPv7 advisory, Kafka advisory). The 4.6.1 release is also the first maintenance for the 4.6 branch (4.6.1 release notes).

Intrusion Flow

Delivery path: adversary-controlled traffic is captured live or shared as a PCAP/PCAPNG. When the vulnerable dissector analyzes the bytes, Wireshark (or TShark) can crash, creating a denial-of-service condition for the analyst (BPv7 advisory impact, Kafka advisory impact).
Tool surface: TShark uses the same packet dissection code as Wireshark, so headless workflows are equally exposed until patched (tshark(1) manual).
Versions affected: BPv7 crash affects 4.6.0; Kafka crash affects 4.6.0 and 4.4.0-4.4.10; fixes are in 4.6.1 and 4.4.11 (wnpa-sec-2025-05, wnpa-sec-2025-06). A CVE was issued for the Kafka issue as CVE-2025-13499 (Tenable summary).

Key Artifacts to Pull

The suspect capture(s): preserve the original file that triggered instability. Don’t re-open in a vulnerable build; make a sanitized copy with dissectors disabled or targeted filtering (examples below) (tshark(1)).
Temp capture remnants: Wireshark’s capture helper uses OS temp paths; check the user temp directory (e.g., %LOCALAPPDATA%\Temp on Windows) for partial or ringbuffer files if a crash occurred (User’s Guide: Windows temporary folder).
Profile and folders record: About → Folders lists where preferences, plugins, and temp data live for the current install; screenshot or export for your case record (User’s Guide: File locations via About → Folders).

Detection Notes

Inventory versions quickly:
- GUI: Help → About, or CLI: wireshark -v / tshark -v (wireshark(1), tshark(1)).
Screen inbound PCAPs for impacted protocols before opening in an unpatched environment:
- Count hits: tshark -r sample.pcapng -q -Y "kafka || bpv7" -c 1 (exits non-zero only if no packets match) (tshark display filtering).
Validate protocol names on your build if you plan to disable them: tshark -G protocols | grep -Ei "kafka|bpv7" (tshark(1)).

Response Guidance

Patch priority and branches

Update Wireshark to 4.6.1 (4.6 branch) or 4.4.11 (4.4 branch). Official installers and source are live as of November 19, 2025 (Wireshark news; BPv7 fix; Kafka fix).

Harden PCAP handling until patched

Disable specific dissectors during read to reduce risk exposure:
- Example: tshark --disable-protocol kafka --disable-protocol bpv7 -r incoming.pcapng -w sanitized.pcapng (Command-line protocol control, tshark(1)).
Create filtered copies that exclude the risky protocols, then analyze the copy:
- Example: tshark -r incoming.pcapng -Y "not kafka and not bpv7" -w safe_subset.pcapng (tshark display filter and write).
- Or remove specific packet ranges with editcap if you’ve identified offending frames: editcap -r incoming.pcapng cleaned.pcapng 1000-2000 (editcap(1)).
If you rely on third-party Lua plugins, consider disabling Lua temporarily to reduce crash surface: set enable_lua = false in init.lua (re-enable after patching) (Wireshark Developer’s Guide: Lua control). Release notes also mention a TShark crash scenario involving Lua in this cycle, reinforcing caution (4.6.1 update details).

Windows capture driver note

Wireshark no longer supports WinPcap; use Npcap on Windows, and uninstall WinPcap if present (4.6.x notes).

Takeaways

Upgrade Wireshark now to 4.6.1 (or 4.4.11) to eliminate the BPv7 and Kafka crash vectors (news, BPv7, Kafka).
Treat untrusted PCAPs as hazardous inputs until patched; disable at-risk dissectors or pre-filter captures before deep analysis (tshark(1)).
Confirm your fleet’s versions and sanitize queued captures; then re-enable normal workflows. If you operate on Windows, ensure you’re on Npcap, not WinPcap (4.6.1 notes).

Sources / References

Wireshark News (Nov 19, 2025): Wireshark 4.6.1 and 4.4.11 Released: https://www.wireshark.org/news/20251119.html
Wireshark Security Advisory: wnpa-sec-2025-05 (BPv7 dissector crash): https://www.wireshark.org/security/wnpa-sec-2025-05
Wireshark Security Advisory: wnpa-sec-2025-06 (Kafka dissector crash): https://www.wireshark.org/security/wnpa-sec-2025-06
Wireshark 4.6.1 Release Notes: https://www.wireshark.org/docs/relnotes/wireshark-4.6.1
Wireshark 4.6.1 Update Details (issues list): https://www.wireshark.org/update/relnotes/wireshark-4.6.1.html
tshark(1) manual: https://www.wireshark.org/docs/man-pages/tshark.html
wireshark(1) manual: https://www.wireshark.org/docs/man-pages/wireshark
Wireshark User’s Guide: Start from the command line (protocol enable/disable): https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html
Wireshark User’s Guide: Windows temporary folder: https://www.wireshark.org/docs/wsug_html/#ChTmpFolder
Release notes (2.4.1) — About → Folders reference for file locations: https://www.wireshark.org/docs/relnotes/wireshark-2.4.1.html
Wireshark Developer’s Guide: Lua support and enable_lua control: https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm.html
editcap(1) manual: https://www.wireshark.org/docs/man-pages/editcap.html
CVE-2025-13499 (Kafka dissector) summary: https://www.tenable.com/cve/CVE-2025-13499
TShark display filter usage (examples): https://labex.io/tutorials/wireshark-use-display-filters-in-tshark-548939