CVE-2025-5601 – A buffer overflow vulnerability in Wireshark's ... (How to Fix)

Q: What is the severity of CVE-2025-5601?

CVE-2025-5601 has a CVSS score of 7.8 (HIGH). A buffer overflow vulnerability in Wireshark's column handling allows attackers to cause denial of service via packet injection or specially crafted capture files. This affects Wireshark users analyzing network traffic, particularly security analysts and network administrators using vulnerable versions.

📋 TL;DR

A buffer overflow vulnerability in Wireshark's column handling allows attackers to cause denial of service via packet injection or specially crafted capture files. This affects Wireshark users analyzing network traffic, particularly security analysts and network administrators using vulnerable versions.

💻 Affected Systems

Products:

Wireshark

Versions: 4.4.0 to 4.4.6 and 4.2.0 to 4.2.12

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: All Wireshark installations within affected version ranges are vulnerable regardless of configuration.

📦 What is this software?

Wireshark by Wireshark

View all CVEs affecting Wireshark →

Wireshark by Wireshark

View all CVEs affecting Wireshark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Wireshark crash leading to loss of ongoing packet analysis, potential data loss of unsaved capture sessions, and disruption of network monitoring operations.

🟠

Likely Case

Application crash when processing malicious packets or capture files, requiring restart of Wireshark and potential loss of analysis context.

🟢

If Mitigated

Minimal impact with proper network segmentation and updated software, limited to isolated analysis environments.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's a desktop analysis tool.

🏢 Internal Only: MEDIUM - Internal users could be affected by malicious capture files or packet injection on monitored networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires either packet injection on monitored networks or user opening malicious capture files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 4.4.7 and 4.2.13

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2025-02.html

Restart Required: Yes

Instructions:

1. Download latest version from wireshark.org 2. Uninstall current version 3. Install patched version 4. Restart system

🔧 Temporary Workarounds

Restrict capture file sources

all

Only open capture files from trusted sources and avoid analyzing untrusted network traffic

Network segmentation

all

Isolate Wireshark systems from untrusted networks to prevent packet injection

🧯 If You Can't Patch

Restrict Wireshark usage to trusted, isolated networks only
Implement strict controls on capture file sources and validation

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version via Help → About Wireshark or 'wireshark -v' command

Check Version:

wireshark -v

Verify Fix Applied:

Confirm version is 4.4.7 or higher, or 4.2.13 or higher

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application error events mentioning column handling

Network Indicators:

Unusual packet patterns targeting monitored interfaces
Malformed capture files

SIEM Query:

EventID: 1000 OR Application: Wireshark AND (Error OR Crash)

📊 Metadata

CVE ID: CVE-2025-5601

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.05% exploit probability (16.4th percentile)

Published: June 4, 2025

Last Updated: November 21, 2025

🔗 References

https://gitlab.com/wireshark/wireshark/-/issues/20509 Exploit,Issue Tracking
https://www.wireshark.org/security/wnpa-sec-2025-02.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5601, you might also want to check these: