CVE-2025-13946 – A vulnerability in Wireshark's MEGACO dissector... (How to Fix)

Q: What is the severity of CVE-2025-13946?

CVE-2025-13946 has a CVSS score of 5.5 (MEDIUM). A vulnerability in Wireshark's MEGACO dissector causes an infinite loop when processing specially crafted packets, leading to denial of service. This affects Wireshark users analyzing network traffic containing MEGACO/H.248 protocol data. The vulnerability can crash Wireshark or cause excessive CPU consumption.

📋 TL;DR

A vulnerability in Wireshark's MEGACO dissector causes an infinite loop when processing specially crafted packets, leading to denial of service. This affects Wireshark users analyzing network traffic containing MEGACO/H.248 protocol data. The vulnerability can crash Wireshark or cause excessive CPU consumption.

💻 Affected Systems

Products:

Wireshark

Versions: 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11

Operating Systems: Windows, Linux, macOS, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Wireshark when analyzing MEGACO/H.248 protocol traffic. Users must have packet capture privileges.

📦 What is this software?

Wireshark by Wireshark

View all CVEs affecting Wireshark →

Wireshark by Wireshark

View all CVEs affecting Wireshark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes or becomes unresponsive, disrupting network analysis operations and potentially causing data loss of unsaved captures.

🟠

Likely Case

Wireshark process hangs or crashes when analyzing malicious MEGACO traffic, requiring restart and losing current capture session.

🟢

If Mitigated

Limited to Wireshark application impact only; no system-wide compromise or data exfiltration.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's a network analysis tool run locally.

🏢 Internal Only: MEDIUM - Internal users running vulnerable Wireshark versions could be affected by malicious internal traffic.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Requires sending specially crafted MEGACO packets to network being monitored.

Exploitation requires the target to be running Wireshark and capturing network traffic containing the malicious packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 4.6.2 and 4.4.12

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2025-08.html

Restart Required: Yes

Instructions:

1. Download latest Wireshark from wireshark.org. 2. Run installer (Windows) or use package manager (Linux). 3. Restart Wireshark after installation.

🔧 Temporary Workarounds

Disable MEGACO dissector

all

Prevent Wireshark from processing MEGACO/H.248 protocol traffic

wireshark -o megaco.desegment:false
tshark -o megaco.desegment:false

Use capture filters

all

Filter out MEGACO traffic during capture

wireshark -f "not port 2944"
tshark -f "not port 2944"

🧯 If You Can't Patch

Restrict Wireshark usage to trusted networks only
Monitor Wireshark process for abnormal CPU usage and restart if detected

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: Help → About Wireshark (GUI) or 'wireshark --version' (CLI). If version is 4.6.0-4.6.1 or 4.4.0-4.4.11, you are vulnerable.

Check Version:

wireshark --version | head -1

Verify Fix Applied:

Verify version is 4.6.2 or higher, or 4.4.12 or higher. Test with known MEGACO traffic to ensure no crashes.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application event logs showing Wireshark termination

Network Indicators:

MEGACO/H.248 protocol traffic to monitored networks
Port 2944/TCP or 2944/UDP traffic

SIEM Query:

source="wireshark.log" AND ("crash" OR "segmentation fault" OR "infinite loop")

📊 Metadata

CVE ID: CVE-2025-13946

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-835

EPSS Score: 0.01% exploit probability (2th percentile)

Published: December 3, 2025

Last Updated: December 31, 2025

🔗 References

https://gitlab.com/wireshark/wireshark/-/issues/20884 Exploit,Issue Tracking,Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2025-08.html Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13946, you might also want to check these: