CVE-2016-7406 Dropbear SSH Project CVE debrief

Who should care

Administrators, embedded-device vendors, and distro maintainers running Dropbear SSH 2016.73 or earlier should treat this as urgent, especially on any system reachable over the network.

Technical summary

The NVD record marks Dropbear SSH versions through 2016.73 as vulnerable and assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is described as a format string vulnerability involving the username or host argument, which can enable remote code execution. NVD also maps the weakness to CWE-20.

Defensive priority

Critical. Patch immediately by upgrading to Dropbear SSH 2016.74 or later, then verify no affected version remains deployed.

Recommended defensive actions

• Upgrade Dropbear SSH to 2016.74 or later on all affected systems.
• Inventory appliances, routers, and embedded systems that bundle Dropbear SSH and confirm the embedded version.
• Prioritize internet-reachable SSH services and remote-access appliances for immediate remediation.
• Check vendor advisories or distro backports, especially if a full package upgrade is not available.
• After updating, confirm the running Dropbear build is no longer 2016.73 or earlier.

Evidence notes

Primary facts come from the NVD record: CVE-2016-7406 is published 2017-03-03 and was modified in NVD on 2026-05-13. NVD states the affected CPE range includes Dropbear SSH through 2016.73 and records CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Supporting references include the oss-security mailing list post, a Dropbear patch revision, and Gentoo GLSA 201702-23.

Official resources