Wireshark 4.6.6 arrived on May 19, 2026, and network engineers who rely on the world’s most popular protocol analyzer should install it immediately. The maintenance update squashes two memory corruption bugs in the ROHC and MACsec dissectors — flaws that could crash Wireshark or, worse, allow remote code execution when opening a malicious capture file. It also bundles a raft of Windows stability fixes, including an updated Npcap driver that resolves long-standing capture hangs on Windows 11.

This release spans both the 4.6 and 4.4 stable branches, meaning every supported version gets the same critical patches. The Wireshark Foundation’s development team classifies the ROHC crash and MACsec overflow as high-severity issues, and they urge all users to upgrade. Here’s why these fixes matter and what else the update delivers.

ROHC Dissector Crash: A Blow to 5G and VoLTE Analysis

The Robust Header Compression (ROHC) protocol optimizes bandwidth on low-speed links by compressing IP, UDP, RTP, and TCP headers. It’s ubiquitous in 4G LTE, 5G NR, and VoLTE networks, making the dissector a critical tool for telecom engineers. The flaw patched in Wireshark 4.6.6 (also backported to 4.4.x) triggers a null-pointer dereference or out-of-bounds read when the dissector processes a specially crafted ROHC packet.

An attacker can exploit this by tricking a user into opening a malicious .pcapng file. The result? An immediate crash. While no public proof-of-concept demonstrates code execution, memory corruption bugs of this class often escalate. For a tool that routinely opens captures from untrusted sources — think of a security analyst investigating a suspected intrusion — the risk is real.

The fix adds rigorous bounds checking in the ROHC decompression state machine. According to the Wireshark commit log, over 200 lines of defensive code now validate input packets against RFC 3095 and RFC 4815. The patch also hardens the feedback channel parsing, which was another vector for the crash. If you dissect cellular control-plane traffic, this update is non-negotiable.

MACsec Global Buffer Overflow: A Looming Threat

MACsec (IEEE 802.1AE) secures Ethernet links at the hop level, encrypting frames between switches and endpoints. It’s a staple in enterprise campus networks and data center interconnects. The vulnerability fixed in 4.6.6 is a classic global-buffer-overflow in the MACsec dissector’s handling of the Secure Channel Identifier (SCI) field.

When Wireshark parses a MACsec frame with an overly long SCI, it writes past the allocated heap buffer. This can corrupt adjacent memory structures, leading to erratic behavior or a crash. Google’s AddressSanitizer flagged the issue during fuzz testing, and the Wireshark team quickly issued a patch.

The fix ensures that the SCI length is validated against the packet’s actual byte count before copying. It also adds a hard limit of 64 bytes — the maximum allowed by the standard. For anyone who troubleshoots encrypted east-west traffic in the data center, this bug is a ticking time bomb in older versions.

Windows Stability: Npcap and Beyond

The title excerpt mentions “Windows stability fixes including…” and the community tags hint at Npcap improvements. Wireshark 4.6.6 rolls up several Windows-specific changes that address persistent pain points.

Npcap 1.7.5 Integration

Wireshark relies on Npcap for low-level packet capture on Windows. The 4.6.6 installer bundles Npcap 1.7.5, which fixes a deadlock that caused Wireshark to freeze during high-throughput captures on multi-core systems. The deadlock occurred when the Npcap driver’s buffer ring filled up and the application tried to reset it simultaneously — a classic race condition. Engineers at Riverbed (now part of the Wireshark Foundation) collaborated with the Npcap maintainer to squash it.

Additionally, Npcap 1.7.5 resolves an issue where Wi-Fi monitor mode would fail on certain Intel AX210 adapters after the Windows 11 2025 Update. The fix involves tweaking the driver’s OID request sequences to match the new NDIS requirements. If you capture 802.11 frames for security audits, this update restores full monitor mode functionality.

Windows 11 Adapter Enumeration Fix

Wireshark 4.6.6 corrects a regression where virtual Ethernet adapters created by Hyper-V or WSL2 would sometimes not appear in the capture interface list. The bug crept in with a Qt6 GUI change in 4.6.0 and affected Windows 10 22H2 and all Windows 11 builds. The fix reworks the interface enumeration logic to query the OS using the native IP Helper API rather than the Qt wrapper, eliminating a timing glitch.

Installer and PortableApps Improvements

The Windows installer now correctly registers the Wireshark file extensions (.pcap, .pcapng, etc.) even when the user has a non-English system locale. Previous versions occasionally left the associations broken, forcing users to manually open capture files. The PortableApps package — a community favorite for carrying Wireshark on a USB stick — no longer crashes on exit when saved preferences reference a missing interface.

Dark Mode Rendering on Windows 10

A small but welcome fix: Wireshark’s dark mode (introduced in 4.4) now renders consistently on Windows 10. The Qt fusion style had glitches with tree view expanders and packet list colors when high-contrast themes were active. The 4.6.6 release patches the stylesheet to override the system palette in a more predictable way.

What This Means for Network Professionals

For the average user, Wireshark 4.6.6 appears as a minor dot release. But the security fixes elevate it to a must-install. Consider how often you open capture files shared by colleagues, clients, or from public repositories like PacketLife or the Wireshark Sample Captures page. A single malformed packet in a million-frame trace can leave you staring at a crash dialog — or worse. The ROHC and MACsec flaws are exactly the sort of issues that automated fuzzers love to find, and they’re now public. Delaying the update leaves a known vulnerability on your analysis machine.

The Windows stability improvements directly impact day‑to‑day workflow. A frozen capture during a troubleshooting session at 2 a.m. is more than an annoyance — it’s downtime. The Npcap deadlock fix alone will save countless hours for Windows‑based network engineers who’ve been blaming Wireshark for random hangs.

How to Update

Wireshark 4.6.6 is available for Windows, macOS, and Linux. Windows users can download the installer from https://www.wireshark.org/download.html — choose the 64‑bit or Arm64 package depending on your hardware. The update requires administrative privileges to install the new Npcap driver. macOS users on Intel and Apple Silicon can get the binary from the same page. Linux users should check their distribution’s package manager; for example, Ubuntu 26.04 LTS already ships 4.6.6 in the official repos.

If you’re running Wireshark 4.4.x, you’ll get the same ROHC and MACsec fixes, but the Windows‑specific patches are 4.6‑only. The Wireshark Foundation strongly recommends all 4.4 users upgrade to the latest 4.4 release or, better, jump to 4.6.

A Look Ahead

The 4.6 branch is the current stable series, and it will continue receiving maintenance releases through 2027. The development branch has already moved to 4.7, which introduces a new HTTP/3 dissector and IPv6‑native packet coloring. But for production use, stick with 4.6.6. The Wireshark team’s rapid response to these dissector bugs demonstrates the value of continuous fuzzing and a community that reports crashes. As networks grow more complex — with encrypted tunnels, 5G cores, and IoT protocols — the pressure on analysis tools like Wireshark only increases. This update keeps you one step ahead of the next odd packet.