PatchSiren

PatchSiren cyber security CVE debrief

CVE-2015-7977 Freebsd CVE debrief

CVE-2015-7977 is a remote denial-of-service vulnerability in ntpd. According to the official NVD record, a crafted ntpdc reslist command can trigger a NULL pointer dereference and crash the service. The issue affects NTP before 4.2.8p6 and 4.3.x before 4.3.90.

Vendor
Freebsd
Product
CVE-2015-7977
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-30
Original CVE updated
2026-05-13
Advisory published
2017-01-30
Advisory updated
2026-05-13

Who should care

Administrators running ntpd from affected NTP releases, especially in environments where the daemon is reachable over the network. Downstream vendors and appliance teams that bundle NTP/ntpd should also verify whether their shipped package versions fall within the affected ranges listed in NVD.

Technical summary

NVD classifies the issue as CWE-476 (NULL Pointer Dereference) with CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting a network-reachable availability impact. The published description says remote attackers can cause a denial of service through the ntpdc reslist command. NVD version criteria mark NTP releases before 4.2.8p6 and 4.3.x before 4.3.90 as vulnerable, and the record also includes downstream package CPEs for multiple operating systems and vendor builds.

Defensive priority

Moderate. This is an availability-only flaw with network reachability, so it should be remediated promptly on exposed NTP servers, but it is not a confidentiality or integrity compromise based on the published record.

Recommended defensive actions

  • Upgrade NTP/ntpd to 4.2.8p6 or later, or to 4.3.90 or later for the 4.3.x line.
  • Apply the vendor-specific package updates for any downstream operating system or appliance that ships ntpd.
  • Review whether ntpdc management access is needed at all, and restrict exposure to trusted administrative networks where possible.
  • Inventory embedded devices and appliances that may include bundled NTP components, since NVD lists multiple downstream CPEs.
  • Monitor NTP servers for unexpected daemon crashes or restart loops after patching and during validation.

Evidence notes

The official NVD entry describes the flaw as a remote DoS via NULL pointer dereference in ntpd triggered by ntpdc reslist. The NVD CVSS vector is AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, and the weakness is mapped to CWE-476. The NVD CPE criteria identify vulnerable NTP versions before 4.2.8p6 and 4.3.x before 4.3.90, with additional downstream product CPEs included in the record. The CVE was published on 2017-01-30 and later modified on 2026-05-13; that timing reflects database publication/maintenance, not the original code defect date.

Official resources

Publicly disclosed in the official CVE/NVD record on 2017-01-30; NVD last modified the record on 2026-05-13. This debrief is limited to the published official description and metadata.