CVE-2025-13499 – A vulnerability in Wireshark's Kafka dissector ... (How to Fix)

Q: What is the severity of CVE-2025-13499?

CVE-2025-13499 has a CVSS score of 7.8 (HIGH). A vulnerability in Wireshark's Kafka dissector causes a crash when parsing malicious network packets, leading to denial of service. This affects Wireshark users analyzing Kafka protocol traffic in versions 4.6.0 and 4.4.0 through 4.4.10. The crash occurs during packet dissection and requires no authentication.

📋 TL;DR

A vulnerability in Wireshark's Kafka dissector causes a crash when parsing malicious network packets, leading to denial of service. This affects Wireshark users analyzing Kafka protocol traffic in versions 4.6.0 and 4.4.0 through 4.4.10. The crash occurs during packet dissection and requires no authentication.

💻 Affected Systems

Products:

Wireshark

Versions: 4.6.0 and 4.4.0 through 4.4.10

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Wireshark when dissecting Kafka protocol traffic; other protocols are unaffected.

📦 What is this software?

Wireshark by Wireshark

View all CVEs affecting Wireshark →

Wireshark by Wireshark

View all CVEs affecting Wireshark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes repeatedly when processing malicious Kafka traffic, preventing network analysis and potentially disrupting monitoring workflows.

🟠

Likely Case

Wireshark crashes when encountering specially crafted Kafka packets, requiring restart and potentially losing unsaved capture data.

🟢

If Mitigated

With proper network segmentation and limited exposure, impact is minimal as only Wireshark instances analyzing Kafka traffic are affected.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's an analysis tool that processes captured traffic.

🏢 Internal Only: MEDIUM - Internal Wireshark instances analyzing Kafka traffic could be targeted by internal actors or compromised systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious Kafka packets that Wireshark processes; no authentication needed as Wireshark analyzes captured traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.11 and 4.6.1

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2025-06.html

Restart Required: Yes

Instructions:

1. Download latest Wireshark from wireshark.org. 2. Install over existing version. 3. Restart Wireshark and any related services.

🔧 Temporary Workarounds

Disable Kafka dissector

all

Prevent Wireshark from parsing Kafka protocol traffic

Edit -> Preferences -> Protocols -> Kafka -> Uncheck 'Enable Kafka protocol'

Use capture filters

all

Filter out Kafka traffic from captures

Capture -> Options -> Capture Filter: not port 9092

🧯 If You Can't Patch

Restrict Wireshark use to trusted networks only
Monitor for Wireshark crashes and investigate any Kafka traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version via Help -> About Wireshark; if version is 4.6.0 or between 4.4.0-4.4.10, you are vulnerable.

Check Version:

wireshark --version | grep 'Wireshark'

Verify Fix Applied:

Verify version is 4.4.11 or 4.6.1 or higher; test with Kafka traffic to ensure no crashes.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application error events mentioning Wireshark

Network Indicators:

Unusual Kafka traffic patterns to monitoring systems
Multiple connection attempts on port 9092

SIEM Query:

EventID=1000 AND ProcessName='wireshark.exe' OR 'Wireshark crash' in ApplicationLogs

📊 Metadata

CVE ID: CVE-2025-13499

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-824

EPSS Score: 0.01% exploit probability (0.7th percentile)

Published: November 21, 2025

Last Updated: December 31, 2025

🔗 References

https://gitlab.com/wireshark/wireshark/-/issues/20823 Issue Tracking,Vendor Advisory
https://www.wireshark.org/security/wnpa-sec-2025-06.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13499, you might also want to check these: