PatchSiren cyber security CVE debrief

CVE-2016-2516 Ntp CVE debrief

CVE-2016-2516 is a denial-of-service issue in NTP’s ntpd daemon. On affected releases, if mode7 is enabled, a remote attacker can cause ntpd to abort by using the same IP address multiple times in an unconfig directive. The issue was published by NVD on 2017-01-30 and later marked modified on 2026-05-13.

Vendor: Ntp
Product: CVE-2016-2516
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-30
Original CVE updated: 2026-05-13
Advisory published: 2017-01-30
Advisory updated: 2026-05-13

Who should care

Administrators running NTP/ntpd on exposed systems, especially environments that still enable mode7 or rely on older NTP 4.2.8/4.3.x builds. This also matters to distro and appliance maintainers who may have inherited vulnerable versions or backports.

Technical summary

The supplied CVE description identifies a remotely triggerable ntpd abort in NTP before 4.2.8p7 and 4.3.x before 4.3.92, but only when mode7 is enabled. NVD classifies the weakness as CWE-20 and rates it CVSS 3.0 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating an availability impact rather than confidentiality or integrity loss. The attack condition is configuration-dependent, so exposure is highest where mode7 remains enabled and the daemon is reachable by an attacker with the ability to send the relevant request.

Defensive priority

Medium. This is not an information disclosure or code execution issue, but it can crash a time service daemon and disrupt dependent systems. Prioritize if ntpd is Internet-facing, mission-critical, or still using legacy mode7 features.

Recommended defensive actions

Upgrade NTP/ntpd to a fixed release at or above 4.2.8p7 or 4.3.92, or install the vendor/package update that backports the fix.
Review whether mode7 is enabled anywhere in your fleet; if it is not required, disable or restrict it according to vendor guidance.
Check vendor and distribution advisories for any packaged mitigation or backport status before assuming a version string alone is sufficient.
Monitor ntpd crash logs and service restarts so repeated aborts are detected quickly.
If you operate multiple NTP deployments, inventory them now to confirm which hosts are running affected branches and whether mode7 exposure exists.

Evidence notes

All claims above are drawn from the supplied CVE/NVD corpus and linked references. The key evidence is the CVE description stating affected versions (before 4.2.8p7 and 4.3.x before 4.3.92), the mode7 requirement, and the ntpd abort/DoS impact. NVD also supplies the CVSS v3.0 vector AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-20. References include the NTP vendor advisory page, plus distro and third-party advisories that corroborate remediation context.

Official resources

CVE-2016-2516 CVE record
CVE.org
CVE-2016-2516 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the NVD/CVE record on 2017-01-30. NVD metadata in the supplied corpus shows the record was modified on 2026-05-13.