Important security updates have been released for Wireshark, a network traffic analyzer. The updates address multiple vulnerabilities that could allow denial of service via packet injection or crafted capture files, including crashes and infinite loops in various dissectors. Affected versions include 2.6.20-0+deb10u9~deb9u2 for Debian GNU/Linux 9 (Stretch) ELTS, 10 (Buster), and 12 (Bullseye).

ELA-1646-1 wireshark security update
[DLA 4479-1] wireshark security update

ELA-1646-1 wireshark security update

Package : wireshark
Version : 2.6.20-0+deb10u9~deb9u2 (stretch), 2.6.20-0+deb10u10 (buster)

Related CVEs :
CVE-2024-9781
CVE-2024-11596
CVE-2025-5601
CVE-2025-11626
CVE-2025-13946

Multiple vulnerabilities have been fixed in the network traffic analyzer Wireshark.

CVE-2024-9781
AppleTalk and RELOAD Framing dissector crash allows denial of service via packet injection or crafted capture file.

CVE-2024-11596
ECMP dissector crash allows denial of service via packet injection or crafted capture file.

CVE-2025-5601
Column handling crashes allows denial of service via packet injection or crafted capture file.

CVE-2025-11626
MONGO dissector infinite loop allows denial of service.

CVE-2025-13946
MEGACO dissector infinite loop in allows denial of service.

ELA-1646-1 wireshark security update

[SECURITY] [DLA 4479-1] wireshark security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4479-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
February 16, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : wireshark
Version : 3.4.16-0+deb11u2
CVE ID : CVE-2024-9781 CVE-2024-11596 CVE-2025-5601 CVE-2025-11626
CVE-2025-13499 CVE-2025-13945 CVE-2025-13946 CVE-2026-0960
Debian Bug :

Multiple vulnerabilities have been fixed in the network traffic analyzer
Wireshark.

CVE-2024-9781

AppleTalk and RELOAD Framing dissector crash allows denial of
service via packet injection or crafted capture file.

CVE-2024-11596

ECMP dissector crash allows denial of service via packet injection
or crafted capture file.

CVE-2025-5601

Column handling crashes allows denial of service via packet
injection or crafted capture file.

CVE-2025-11626

MONGO dissector infinite loop allows denial of service.

CVE-2025-13499

Kafka dissector crash allows denial of service.

CVE-2025-13945

HTTP3 dissector crash allows denial of service.

CVE-2025-13946

MEGACO dissector infinite loop in allows denial of service.

CVE-2026-0960

HTTP3 protocol dissector infinite loop allows denial of service.

For Debian 11 bullseye, these problems have been fixed in version
3.4.16-0+deb11u2.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS