CVE-2017-6468 Wireshark CVE debrief

Who should care

Security teams, network analysts, SOC staff, packet-capture reviewers, and anyone running affected Wireshark versions to open or analyze capture files—especially when those files may come from untrusted or external sources.

Technical summary

NVD lists the weakness as CWE-20 (improper input validation) and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The CVE description states that a malformed capture file could crash Wireshark’s NetScaler parser, and the referenced fix in wiretap/netscaler.c validates the relationship between pages and records. Affected versions are 2.0.0-2.0.10 and 2.2.0-2.2.4.

Defensive priority

High. The flaw can crash analysis tooling and affects widely used Wireshark versions, but the supplied record indicates availability impact rather than code execution or data theft.

Recommended defensive actions

• Upgrade Wireshark to a fixed release that includes the wiretap/netscaler.c validation change.
• Treat untrusted or externally supplied capture files as potentially crash-inducing until vulnerable versions are removed.
• If you must keep affected versions temporarily, isolate analysis systems and limit who can open suspicious capture files.
• Review downstream package advisories and distribution security notices for backported fixes.
• Use the official Wireshark advisory and referenced bug/commit records to confirm the corrected release in your environment.

Evidence notes

This debrief is based on the supplied CVE description, NVD metadata, and the listed official/vendor references. The CVE text explicitly states the crash was triggered by malformed capture files and that the fix validated the pages-to-records relationship in wiretap/netscaler.c. NVD provides the affected version ranges, CWE-20 classification, and CVSS 3.0 vector. The timeline uses the CVE published date of 2017-03-04 and does not infer any later modification date as the original disclosure date.

Official resources