CVE-2025-9817 – A vulnerability in Wireshark's SSH dissector ca... (How to Fix)

Q: What is the severity of CVE-2025-9817?

CVE-2025-9817 has a CVSS score of 7.8 (HIGH). A vulnerability in Wireshark's SSH dissector causes a crash when processing specially crafted SSH packets, leading to denial of service. This affects users running Wireshark versions 4.4.0 through 4.4.8 for packet analysis. The crash occurs during packet dissection, not during normal SSH communication.

📋 TL;DR

A vulnerability in Wireshark's SSH dissector causes a crash when processing specially crafted SSH packets, leading to denial of service. This affects users running Wireshark versions 4.4.0 through 4.4.8 for packet analysis. The crash occurs during packet dissection, not during normal SSH communication.

💻 Affected Systems

Products:

Wireshark

Versions: 4.4.0 to 4.4.8

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Wireshark when dissecting SSH packets; SSH servers/clients themselves are not vulnerable.

📦 What is this software?

Wireshark by Wireshark

View all CVEs affecting Wireshark →

Wireshark by Wireshark

View all CVEs affecting Wireshark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could crash Wireshark instances on monitoring systems, disrupting network analysis and potentially causing monitoring gaps during critical incidents.

🟠

Likely Case

Malicious SSH traffic could crash Wireshark during packet capture or analysis, requiring restart of the application and loss of current capture data.

🟢

If Mitigated

With proper network segmentation and limited Wireshark exposure, impact is limited to temporary loss of packet analysis capability.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's an analysis tool that processes captured traffic.

🏢 Internal Only: MEDIUM - Internal attackers could craft malicious SSH packets to crash Wireshark instances used for network monitoring.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to send specially crafted SSH packets to networks where Wireshark is capturing traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 4.4.9 and later

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2025-03.html

Restart Required: Yes

Instructions:

1. Download Wireshark 4.4.9 or later from wireshark.org. 2. Install the update. 3. Restart Wireshark and any related services.

🔧 Temporary Workarounds

Disable SSH dissector

all

Prevent Wireshark from processing SSH packets by disabling the SSH dissector

Edit preferences -> Protocols -> SSH -> Uncheck 'Enable SSH protocol'

Use capture filters

all

Exclude SSH traffic from being captured

Use capture filter: not port 22

🧯 If You Can't Patch

Restrict Wireshark to trusted network segments only
Monitor for Wireshark crashes and have restart procedures ready

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version via Help -> About Wireshark; versions 4.4.0-4.4.8 are vulnerable

Check Version:

wireshark --version | grep 'Wireshark'

Verify Fix Applied:

Verify version is 4.4.9 or higher and test SSH packet capture

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application error events mentioning Wireshark

Network Indicators:

Unusual SSH traffic patterns to monitoring segments

SIEM Query:

source="wireshark.log" AND ("crash" OR "segmentation fault" OR "access violation")

📊 Metadata

CVE ID: CVE-2025-9817

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-476

EPSS Score: 0.03% exploit probability (8.3th percentile)

Published: September 3, 2025

Last Updated: December 5, 2025

🔗 References

https://gitlab.com/wireshark/wireshark/-/issues/20642 Issue Tracking
https://www.wireshark.org/security/wnpa-sec-2025-03.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9817, you might also want to check these: