Executive Summary

CVE-2025-9817 is a vulnerability in Wireshark versions 4.4.0 to 4.4.8 where the SSH dissector component crashes when processing certain malformed SSH packets. The crash is caused by a null pointer dereference in the SSH dissector's key exchange shared secret handling code, specifically in the function ssh_kex_shared_secret. This happens due to improper input validation and memory handling when dissecting malformed packets, leading to a segmentation fault and causing Wireshark to crash. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause Wireshark to crash (denial of service) when it processes specially crafted malformed SSH packets or packet capture files. This can disrupt network traffic analysis or automated packet inspection systems relying on Wireshark, potentially delaying or preventing the analysis of network data. An attacker could exploit this by injecting malformed packets or convincing a user to open a malicious capture file, causing the application to stop functioning. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by analyzing network traffic or packet capture files for malformed SSH packets that trigger the Wireshark SSH dissector crash. Specifically, using fuzzing tools or monitoring for crashes of Wireshark when processing SSH traffic may indicate the presence of this issue. However, no specific detection commands are provided in the available resources. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Wireshark to version 4.4.9 or later, where this vulnerability has been fixed. Avoid opening untrusted or suspicious SSH packet capture files and consider restricting the use of vulnerable Wireshark versions until the upgrade is applied. [1]

Useful 0 Not Useful 0