CVE-2017-6467 Wireshark CVE debrief

Who should care

Teams that use Wireshark to process untrusted or externally supplied capture files should care most, including network analysts, SOCs, incident response teams, lab environments, and package maintainers responsible for Wireshark builds in downstream distributions.

Technical summary

The vulnerability is a Netscaler file parser infinite loop in Wireshark’s wiretap/netscaler.c code path. NVD classifies the weakness as CWE-835 (loop with unreachable exit condition). The public description says the issue was addressed by changing the restrictions on file size, which prevents the malformed capture from keeping the parser in a non-terminating state. Affected versions listed in NVD are Wireshark 2.0.0 through 2.0.10 and 2.2.0 through 2.2.4.

Defensive priority

High for any environment that ingests capture files from outside the trust boundary or runs Wireshark in automated analysis workflows. The impact is availability-only, but the lack of required privileges or interaction makes timely patching important.

Recommended defensive actions

• Upgrade Wireshark to a version that includes the fix for CVE-2017-6467.
• Apply vendor or distribution security updates, including downstream packages that incorporate the patched parser.
• Treat untrusted capture files as potentially disruptive input and isolate analysis workloads where practical.
• Add monitoring or watchdog controls for analysis jobs so parser hangs are detected and recovered quickly.
• Review internal tooling that batch-processes capture files to ensure it uses a fixed Wireshark build.

Evidence notes

The summary is based on the NVD CVE record, the Wireshark vendor advisory reference, the Bugzilla issue/patch reference, and the listed advisory references. The supplied NVD data states the vulnerability status as Modified and includes affected version ranges, the CVSS vector, and CWE-835. No Known Exploited Vulnerabilities entry was supplied for this CVE.

Official resources