Wireshark-dev: [Wireshark-dev] Re: Clarification on Heimdal Kerberos CVEs in Wireshark 4.0.17

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: kundan kumar <kundank3069@xxxxxxxxx>
Date: Sat, 18 Apr 2026 12:02:01 +0530

Hi John and Gerald,

Thank you for the detailed responses — very helpful.

To clarify, our platform is Linux with a custom Yocto build where Kerberos support is disabled. Our tshark -v output confirms this:

TShark (Wireshark) 4.0.17

Compiled (64-bit) with GLib 2.66.8, with PCRE2, without zlib,
with libpcap, with POSIX capabilities (Linux), with libnl 3,
with Lua 5.2.4, with GnuTLS 3.7.4, with Gcrypt 1.9.4-unknown,
without Kerberos, without MaxMind, without nghttp2, without brotli,
without LZ4, without Zstandard, without Snappy, with libxml2 2.9.14,
without libsmi, with binary plugins.

A few follow-up questions:

  1. Since our build is compiled without Kerberos (no Heimdal or MIT Kerberos linked), is it safe to confirm that these 10 Heimdal CVEs do not affect our Wireshark installation?

  2. We are planning to upgrade to the 4.4.x or 4.6.x branch.

    • Will moving to these versions also resolve these 10 Heimdal Kerberos CVEs?

    • Or are they only relevant when Kerberos support is compiled in?

  3. Is there a way to determine which version of Heimdal or MIT Kerberos is used/supported in the Wireshark 4.4.x and 4.6.x series?

    • Does Wireshark bundle a specific Heimdal version internally?

    • Or does it depend entirely on the system-installed Kerberos library at compile time?

Thank you again for your time ...

Best regards,
Kundan Kumar