CVE-2026-9759 Wireshark Foundation CVE debrief

Who should care

Network administrators, security analysts, and incident responders who use Wireshark for packet analysis; organizations with security operations centers relying on Wireshark for traffic inspection; developers and QA teams using Wireshark in automated capture analysis pipelines

Technical summary

The ROHC (Robust Header Compression) protocol dissector in Wireshark contains a vulnerability that can trigger a crash when handling malformed packets. The affected versions span two release branches: 4.6.x (4.6.0 through 4.6.5) and 4.4.x (4.4.0 through 4.4.15). The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) indicates the attack requires local access and user interaction, with high impact to availability but no confidentiality or integrity impact. The underlying weakness is categorized as CWE-476 (NULL Pointer Dereference).

Defensive priority

medium

Recommended defensive actions

• Upgrade Wireshark to a version outside the affected ranges (4.6.0-4.6.5, 4.4.0-4.4.15) once patches become available
• Monitor Wireshark security advisories for updated fixed versions
• Restrict capture file analysis to trusted sources and sandboxed environments where possible
• Review and update endpoint security controls to detect unexpected Wireshark process terminations

Evidence notes

Vulnerability affects Wireshark ROHC dissector in specified version ranges. CVSS vector indicates local attack vector with user interaction required. CWE-476 classification suggests NULL pointer dereference as root cause.

Official resources