CVE-2026-0961 – A vulnerability in Wireshark's BLF file parser ... (How to Fix)

📋 TL;DR

A vulnerability in Wireshark's BLF file parser causes a crash when processing malicious files, leading to denial of service. This affects users running vulnerable versions of Wireshark who open untrusted BLF files. The impact is limited to application crashes without remote code execution.

💻 Affected Systems

Products:

Wireshark

Versions: 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12

Operating Systems: Windows, Linux, macOS, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with vulnerable versions are affected when processing BLF files. No special configuration required.

📦 What is this software?

Wireshark by Wireshark

View all CVEs affecting Wireshark →

Wireshark by Wireshark

View all CVEs affecting Wireshark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes repeatedly when processing malicious BLF files, disrupting network analysis operations and potentially causing data loss of unsaved captures.

🟠

Likely Case

Application crash when opening specially crafted BLF files, requiring restart of Wireshark and loss of any unsaved work.

🟢

If Mitigated

No impact if users avoid opening untrusted BLF files or have patched versions.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; exploitation requires user interaction to open malicious files.

🏢 Internal Only: MEDIUM - Internal users could be targeted with malicious BLF files via email or file shares, causing disruption to network analysis activities.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to open malicious BLF file. No authentication required for local exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 4.6.3 and 4.4.13

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2026-01.html

Restart Required: Yes

Instructions:

1. Download latest version from wireshark.org/download.html
2. Run installer (Windows) or compile from source (Linux/Unix)
3. Restart Wireshark after installation

🔧 Temporary Workarounds

Avoid untrusted BLF files

all

Do not open BLF files from untrusted sources

Disable BLF file parsing

all

Remove or restrict BLF file association in system

# Linux: Remove .blf file association
rm ~/.local/share/mime/packages/wireshark-blf.xml
# Windows: Remove file association via Registry Editor or Settings

🧯 If You Can't Patch

Restrict user permissions to only open BLF files from trusted sources
Implement application whitelisting to prevent execution of vulnerable Wireshark versions

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version via Help → About Wireshark or command line

Check Version:

wireshark --version

Verify Fix Applied:

Verify version is 4.6.3 or higher, or 4.4.13 or higher

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application error events in system logs

Network Indicators:

Unusual BLF file transfers to analyst workstations

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="wireshark.exe"

📊 Metadata

CVE ID: CVE-2026-0961

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-787

EPSS Score: 0.02% exploit probability (4.3th percentile)

Published: January 14, 2026

Last Updated: January 21, 2026

🔗 References

https://gitlab.com/wireshark/wireshark/-/issues/20880 Exploit,Issue Tracking,Vendor Advisory
https://www.wireshark.org/security/wnpa-sec-2026-01.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0961, you might also want to check these: