The Wireshark Foundation shipped a critical maintenance update on May 19, 2026, patching two high-severity vulnerabilities in the popular network protocol analyzer. Wireshark 4.6.6 addresses a crash in the ROHC (Robust Header Compression) dissector and a global buffer overflow in the MACsec (Media Access Control Security) dissector. Both flaws could allow attackers to crash Wireshark or potentially execute arbitrary code when users open a malicious capture file. Simultaneously, the release resolves a handful of Windows-specific regressions that had been frustrating users since version 4.6.0, including installer hangs, missing Npcap driver updates, and GUI compatibility glitches on the latest Windows 11 builds.

The update arrives six weeks after version 4.6.5 and is being pushed through the automatic update mechanism inside the application. The Wireshark Foundation’s security advisory lists CVE-2026-???? for the ROHC crash and CVE-2026-???? for the MACsec buffer overflow, though identifiers had not been published at the time of this writing. Network engineers, security analysts, and IT administrators who rely on Wireshark for daily troubleshooting should apply the update immediately.

The ROHC Protocol Dissector Crash (Denial of Service)

The ROHC dissector, responsible for parsing compressed IP/UDP/RTP headers commonly used in VoIP and cellular networks, contained a logic error that could be triggered by a malformed packet. A crafted pcap file with a specific ROHC profile would cause an out-of-bounds read, leading to a segmentation fault. Because the crash occurs during the dissection phase, simply opening a malicious capture in Wireshark — even without starting a live capture — is enough to trigger the denial of service.

Impact analysis from the core developers confirms the vulnerability is exploitable in all Wireshark versions from 4.0.0 through 4.6.5. The fix backports a bounds check from the master branch, ensuring that the dissector validates the compression context ID before accessing internal tables. Users who analyze ROHC traffic in LTE/5G troubleshooting, VoLTE call tracing, or satellite link monitoring are particularly exposed, as such captures often arrive from untrusted third parties.

MACsec Global-Buffer-Overflow: More Than a Crash

The second patched flaw resides in the MACsec dissector, which handles IEEE 802.1AE network security. A heap-based global buffer overflow can be triggered when Wireshark encounters a MACsec frame carrying an overly long Secure Channel Identifier (SCI) in the SecTAG field. The overflow occurs in the function that validates the Integrity Check Value (ICV), corrupting adjacent heap metadata. In the worst case, this could lead to arbitrary code execution under the privileges of the user running Wireshark.

Because MACsec is increasingly deployed in data center interconnects, banking networks, and government backbones, capture files from these environments may be shared with external consultants. An attacker who crafts a malicious MACsec pcap could potentially compromise a consultant’s workstation. The patch rewrites the vulnerable function to use tvb_memdup() instead of a fixed-size static buffer, eliminating the overflow entirely.

Windows Regressions: Installer and UI Fixes

Beyond security, Wireshark 4.6.6 tackles a cluster of Windows-specific bugs that have dominated user complaints since the 4.6.0 release. The most prominent issues addressed are:

  • Installer hangs on Windows 11 24H2 and Server 2025 – The MSI installer would sometimes stall during the “Register Python DLLs” step when Python 3.12 was present. This was traced to a timing conflict with the Windows Antimalware Scan Interface (AMSI); the installer now retries the registration with a brief delay.
  • Missing Npcap update prompts – In previous 4.6.x builds, if a user declined the Npcap upgrade during installation, the application would never alert them again, even when a critical Npcap security fix was available. Wireshark 4.6.6 bundles Npcap 1.80 and displays a one-time notification on first launch if an outdated Npcap driver is detected.
  • Dark mode color corruption – On some high-DPI displays running Windows 11 Build 26200+, the packet list and detail pane rendered with incorrect font colors, making text unreadable. The Qt theme engine now respects the QSETTINGS_QT_SCALE_FACTOR environment variable more consistently.
  • USB capture enumeration – When using USBPCap, certain USB 3.2 Gen 2x2 devices would not appear in the capture interface list. A faulty device descriptor parsing routine was corrected, restoring visibility for all USB classes.

The development team also backported a series of stability improvements for the extcap interface used by Npcap, sshdump, and ciscodump, which could crash when capturing on high-throughput (100 Gbps+) links.

Npcap 1.80: The Silent Partner

The Npcap packet capture library, maintained separately by the Nmap Project, received a concurrent update. Version 1.80 fixes a kernel memory leak when capturing on Wi-Fi interfaces in monitor mode and adds support for the new Windows Packet Capture API introduced in Windows 11 Insider Preview Build 26052. While Wireshark 4.6.6 bundles Npcap 1.80, users who rely on third-party tools that also use Npcap should check for tool-specific compatibility. The installation wizard offers a “Npcap only” mode for those who need to update the driver without reinstalling Wireshark.

Silent Changes: Protocol Dissector Refinements

Accompanying the headline fixes are dozens of subtle protocol dissector enhancements, many of which were backported from the forthcoming Wireshark 4.7 development branch. These do not warrant individual CVEs but improve dissection accuracy and resilience:

  • TLS 1.3 – Support for the TLS Encrypted Client Hello (ECH) extension has been improved; Wireshark can now decode inner Client Hello messages when the corresponding ECH configuration is known.
  • QUIC – Parsing of QUIC version 2 (RFC 9369) multi-packet datagrams no longer throws “Malformed Packet” for certain legitimate edge cases.
  • HTTP/3 – The QPACK decoder handles header field references to dynamic table entries that have been evicted, preventing dissection failures on heavily compressed traffic.
  • SMB – SMB3.1.1 preauthentication integrity validation no longer fails when the signing key is derived from a Kerberos ticket with PAC extensions.
  • DNS – SVCB/HTTPS record parsing correctly interprets the mandatory SvcParams list, fixing a regression introduced in 4.5.2.

These refinements are essential for engineers tracing modern web services, cloud storage protocols, and encrypted enterprise traffic.

Known Issues That Remain

No software release clears every defect. The Wireshark 4.6.6 release notes document several known issues that will be addressed in future patches:

  • macOS 15 Sequoia – The built-in macOS firewall may block the capture engine if the application has not been granted full disk access. A workaround is described in the Wireshark wiki.
  • Wi-Fi capture on Windows with WPA3 – Decryption of Wi-Fi frames using a WPA3 SAE password still fails on some Intel AX210 adapters; a driver-level fix is required from Intel.
  • Lua plugin API – Scripts that register post-dissectors may encounter tvb:uncompress() failures when handling compressed payloads larger than 16 MB. The Lua team is investigating a memory management solution.

Users who depend on these features should review the official release notes before upgrading.

How to Update

Wireshark 4.6.6 is available for Windows, macOS, and Linux from the official download page. Windows users can trigger the update via Help → Check for Updates; the installer preserves all user preferences, display filters, and coloring rules. Linux distributions that package Wireshark (Debian, Ubuntu, Fedora, Arch) should receive the update through their respective package managers within 24–48 hours. macOS users running the signed DMG package must manually download the latest disk image, as auto-update is not supported on that platform.

For enterprise environments using Chocolatey, the command choco upgrade wireshark will fetch the latest version. Administrators can also deploy the MSI package silently with msiexec /i Wireshark-4.6.6-x64.msi /qn and append DESKTOPICON=no to suppress the desktop shortcut if desired.

The Bigger Picture: Securing the Analysis Toolchain

Security analysts have long warned that network analysis tools themselves present an attack surface. In 2022, a vulnerability in Wireshark’s Bluetooth dissector was used in a watering-hole attack against telecom engineers. The rapid patching of the ROHC and MACsec flaws demonstrates the Wireshark Foundation’s commitment to its vulnerability disclosure program, which pays bounties for responsibly reported bugs. This release also underscores the importance of keeping all software in the analysis workstation up to date — not just the tools under test.

The inclusion of Npcap 1.80 alongside the Wireshark update is a reminder that the capture driver is as critical as the protocol dissectors. A compromised Npcap driver can intercept all packet flows at the kernel level. IT security policies should mandate that packet capture drivers be updated through authorized channels and not downloaded from third-party mirrors.

Wireshark 4.6.6 is a recommended update for all users. Its blend of security hardening, Windows compatibility repairs, and dissection accuracy improvements makes it a non-negotiable patch for anyone who handles network captures in a professional capacity.