[John Thacker <johnthacker@xxxxxxxxx>]

Yes like you say. when I looked into it, it is some situation where Apple took Heimdal Kerberos, added a MIT compatibility shim, and it claims to be MIT Kerberos but is Heimdal on the inside. I don't know if there are any weird incompatibilities because of that or unavailable functions.

John

On Fri, Apr 17, 2026, 12:23 PM Gerald Combs via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:

On my system, /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Kerberos.framework/Headers/krb5.h says

"Copyright 1989,1990,1995,2001, 2003, 2007  by the Massachusetts Institute of Technology."

and FindKERBEROS.cmake detects it as MIT Kerberos, not Heimdal. It might be Heimdal on the inside, but it looks very much like MIT on the outside.

Should we go ahead and remove Heimdal support? I think it's effectively dead code at this point.

On 4/17/26 7:05 AM, John Thacker wrote:

Hi Kundan Kumar,

Wireshark 4.0.17 was the last release on the 4.0 branch, which is past its official end of service date and is not receiving security updates. If you are concerned about security, you should update to a supported version, either on the 4.4 or 4.6 branch, as there are CVEs related to Wireshark code present in Wireshark 4.0.17 and fixed in later versions. Some Linux distributions, such as Debian bookworm (the "oldstable" release), continue to package 4.0.17, and it is the distribution's responsibility to apply any security fixes.

As far as the flavor of Kerberos, for macOS releases Heimdal Kerberos is used as that is what is built in to the OS, for Windows releases MIT Kerberos is used, and for Linux distributions it depends on which flavor the distribution uses to build, as both can be supported. While for instance Debian has packages for both Heimdal and MIT Kerberos, I believe their Wireshark packages are built against MIT Kerberos. Therefore it's not possible to answer your questions without knowing the platform on which you are running Wireshark, as the answer may differ, nor is anyone likely to take the time to research the answer to the question about a version which has been out of support since August 2024.

Cheers,

John Thacker

On Fri, Apr 17, 2026 at 9:52 AM kundan kumar <kundank3069@xxxxxxxxx> wrote:

Hi Wireshark Team,

Our vulnerability scanner has flagged 10 Heimdal Kerberos CVEs against Wireshark 4.0.17 by scanning libwireshark.so.16.0.17. We need your guidance on their applicability.

CVEs flagged:

CVE ID           CVSS   Description
------------------------------------------------------------
CVE-2022-44640   9.8    Heimdal ASN.1 codec RCE (invalid free)
CVE-2022-42898   8.8    Heimdal PAC parsing integer overflow RCE/DoS
CVE-2017-11103   7.4    Heimdal Orpheus' Lyre Kerberos impersonation
CVE-2018-16860   7.5    Heimdal KDC principal MITM
CVE-2019-12098   7.4    Heimdal PKINIT key exchange MITM
CVE-2017-6594    7.5    Heimdal transit path validation bypass
CVE-2017-17439   7.5    Heimdal KDC NULL pointer deref DoS
CVE-2021-44758   7.5    Heimdal SPNEGO NULL pointer deref DoS
CVE-2022-3116    7.5    Heimdal NULL pointer deref DoS
CVE-2022-41916   7.5    Heimdal PKI cert validation DoS

Our questions:

1. Which version of Heimdal Kerberos does Wireshark 4.0.17 bundle or use internally?

2. Do any of these 10 CVEs affect Wireshark 4.0.17?

   • If yes, which Wireshark version should we upgrade to for the fix?

   • If no, can you confirm why?

Thank you for your time.

Best regards,
Kundan Kumar

_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx

_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx

_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx