Wireshark-dev: [Wireshark-dev] Re: Clarification on Heimdal Kerberos CVEs in Wireshark 4.0.17

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: John Thacker <johnthacker@xxxxxxxxx>
Date: Sat, 18 Apr 2026 07:23:17 -0400
1. It is safe to say that those CVEs do not affect your installation, without Kerberos support.
2. Yocto Linux, like most Linux distributions, supplies MIT Kerberos, so any Heimdal-specific CVEs would not affect it in any case.
3. Wireshark only uses a small subset of the Kerberos API to dissect information about Kerberos packets, not to engage in Kerberos authentication, so even if Heimdal were used, it is unclear if any of the CVEs would affect Wireshark.
4. For Linux systems, the Kerberos flavor depends on the system-installed Kerberos library at compile time which is usually MIT Kerberos. Wireshark is generally built with shared libraries, which means that the version of the shared library can be upgraded after compilation to fix CVEs. (The answers are slightly different for Windows and macOS.)
5. Upgrading to the 4.4 or 4.6 branch would not affect these CVEs on Linux, but would resolve other security issues and we would strongly recommend you update as 4.2 is out of support and not receiving security fixes.

Cheers,
John Thacker

On Sat, Apr 18, 2026 at 2:32 AM kundan kumar <kundank3069@xxxxxxxxx> wrote:

Hi John and Gerald,

Thank you for the detailed responses — very helpful.

To clarify, our platform is Linux with a custom Yocto build where Kerberos support is disabled. Our tshark -v output confirms this:

TShark (Wireshark) 4.0.17

Compiled (64-bit) with GLib 2.66.8, with PCRE2, without zlib,
with libpcap, with POSIX capabilities (Linux), with libnl 3,
with Lua 5.2.4, with GnuTLS 3.7.4, with Gcrypt 1.9.4-unknown,
without Kerberos, without MaxMind, without nghttp2, without brotli,
without LZ4, without Zstandard, without Snappy, with libxml2 2.9.14,
without libsmi, with binary plugins.

A few follow-up questions:

  1. Since our build is compiled without Kerberos (no Heimdal or MIT Kerberos linked), is it safe to confirm that these 10 Heimdal CVEs do not affect our Wireshark installation?

  2. We are planning to upgrade to the 4.4.x or 4.6.x branch.

    • Will moving to these versions also resolve these 10 Heimdal Kerberos CVEs?

    • Or are they only relevant when Kerberos support is compiled in?

  3. Is there a way to determine which version of Heimdal or MIT Kerberos is used/supported in the Wireshark 4.4.x and 4.6.x series?

    • Does Wireshark bundle a specific Heimdal version internally?

    • Or does it depend entirely on the system-installed Kerberos library at compile time?

Thank you again for your time ...

Best regards,
Kundan Kumar

_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx