CVE-2017-6014 Debian CVE debrief

Who should care

Organizations and analysts that open untrusted packet captures in Wireshark, especially teams that process STANAG 4607 data. Debian and other downstream package maintainers should also review their packaged Wireshark versions and advisories.

Technical summary

The issue is a parsing loop in Wireshark’s STANAG 4607 dissector. If a packet header contains a null packet-size field, the parser does not advance the offset, causing repeated reads of the same zero-length packet. NVD classifies the weakness as CWE-835 and the CVSS vector indicates network exploitable, no privileges, no user interaction, and high availability impact only.

Defensive priority

High. The flaw can be triggered by malformed input during routine file analysis and may quickly consume memory, disrupting analyst workflows or services that process captures automatically.

Recommended defensive actions

• Upgrade Wireshark to a version newer than 2.2.4.
• Apply vendor and downstream advisories referenced in the record, including Debian and Gentoo guidance where applicable.
• Treat STANAG 4607 capture files from untrusted sources as hostile input and analyze them in a controlled environment.
• If capture parsing is automated, add file validation and resource limits so malformed inputs cannot exhaust memory.
• Monitor for parser hangs, runaway memory usage, or abnormal crashes when processing packet captures.

Evidence notes

This debrief is based on the NVD record for CVE-2017-6014, which states that Wireshark 2.2.4 and earlier are affected by crafted or malformed STANAG 4607 capture files causing infinite looping and memory exhaustion. The record also lists references to a Debian security advisory, Wireshark Bugzilla issue 13416, and a Gentoo GLSA. The CVE was published on 2017-02-17 and later modified in NVD on 2026-05-13; those dates are used only as record timing context.

Official resources