PatchSiren cyber security CVE debrief

CVE-2017-5597 Wireshark CVE debrief

CVE-2017-5597 is a Wireshark denial-of-service issue in the DHCPv6 dissector. A malformed capture file or injected packet can drive the parser into a large loop because of an integer overflow in packet-dhcpv6.c. The issue was fixed by changing a data type to prevent the overflow.

Vendor: Wireshark
Product: CVE-2017-5597
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-25
Original CVE updated: 2026-05-13
Advisory published: 2017-01-25
Advisory updated: 2026-05-13

Who should care

Anyone running affected Wireshark releases, especially teams that routinely open untrusted packet captures, analyze live traffic, or process captures from external sources. SOC analysts, incident responders, and lab environments that rely on Wireshark for packet inspection should treat this as a priority availability issue.

Technical summary

NVD lists Wireshark 2.0.0 through 2.0.9 and 2.2.0 through 2.2.3 as vulnerable. The DHCPv6 dissector could enter a large loop due to an integer overflow in epan/dissectors/packet-dhcpv6.c, triggered by packet injection or a malformed capture file. The vendor fix changed the relevant data type to avoid the overflow; NVD classifies the weakness as CWE-190.

Defensive priority

High. The vulnerability is network-reachable in the sense that crafted packets or captures can trigger it, requires no privileges or user interaction per the CVSS vector, and has high availability impact (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Recommended defensive actions

Upgrade Wireshark to a release newer than the affected 2.0.0-2.0.9 and 2.2.0-2.2.3 ranges.
Prioritize patching systems that routinely ingest untrusted captures or live traffic.
Review any automated analysis pipelines or lab systems that open PCAP files from external or untrusted sources.
Use the Wireshark vendor advisory and linked patch references to confirm the fixed build in your environment.
Treat malformed capture files and injected traffic as potential denial-of-service inputs for vulnerable analysis systems until patched.

Evidence notes

The NVD record and CVE references identify the affected Wireshark versions, the DHCPv6 dissector location, and CWE-190. The CVE description states the trigger conditions (packet injection or malformed capture file) and the fix approach (data type change to avoid integer overflow). Timing context: the CVE was published on 2017-01-25 and the NVD record was last modified on 2026-05-13. No KEV listing is present in the supplied data.

Official resources

CVE-2017-5597 CVE record
CVE.org
CVE-2017-5597 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

Public disclosure is anchored to the CVE publication date of 2017-01-25, with vendor, patch, and downstream advisory references linked from the record. The NVD entry was later modified on 2026-05-13.