Wireshark 4.6.4 Packet Analyzer Fixes USB HID Memory Exhaustion

Wireshark, the widely used open-source tool for packet capture and network analysis, has released version 4.6.4, bringing a mix of security patches, stability fixes, and performance improvements.

This update resolves three vulnerabilities (CVE-2026-3201, CVE-2026-3202, and CVE-2026-3203). The fixes address a memory exhaustion issue in the USB HID dissector and crash conditions affecting the NTS-KE and RF4CE Profile dissectors.

In addition to security updates, several reliability problems have been corrected. For example, Wireshark could previously fail to launch when Npcap was configured to allow access only for administrators — that issue has now been fixed.

Multiple protocol decoding problems were also improved. These include inaccuracies in Art-Net PollReply interpretation, missing support for newer Diameter RAT-Types defined in 3GPP TS 29.212, synchronization issues in the TDS dissector during certain RPC operations, and malformed packet warnings in Trigger HE Basic frames.

The release further enhances handling across a range of protocols such as BGP, IPv6, ISAKMP, MySQL, NAS-5GS, SOCKS, and USB HID.

Performance has also been refined, with a fix for a quadratic slowdown in the Expert Info subsystem that could cause long capture sessions to become progressively slower.

Command-line utilities benefit as well: TShark and editcap no longer crash when exporting to BLF format, and misleading “Dissector bug” warnings in pipeline workflows have been removed.

Finally, capture file processing has been improved. The update corrects improper writing of certain pcapng custom options, fixes invalid Darwin option blocks, and includes refinements to BLF, pcapng, and TTL handling — though it does not introduce support for any new file formats.

For more information, see the announcement.