CVE-2016-7428 Ntp CVE debrief

Who should care

Administrators and operators running ntpd in NTP 4.2.8p6, 4.2.8p7, or 4.2.8p8, especially in environments that use broadcast mode time distribution. Embedded devices, appliances, and managed services that bundle ntpd should also be checked for fixed builds.

Technical summary

NVD describes the weakness as a remote denial of service in ntpd, with CVSS 3.0 vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The affected CPE entries listed by NVD include ntp:ntp 4.2.8 p6, p7, and p8. NVD maps the issue to CWE-400 and links vendor materials for the 4.2.8p9 release and the associated bug/mitigation tracking.

Defensive priority

Medium priority: patch promptly if broadcast mode is in use, but the impact is limited to availability and the CVSS score is moderate.

Recommended defensive actions

• Upgrade NTP/ntpd to 4.2.8p9 or a later fixed release.
• Inventory hosts and appliances that ship ntpd, including embedded and vendor-managed systems, and verify their exact NTP build level.
• Review whether broadcast mode is actually required in your environment; if it is, validate synchronization behavior after upgrading.
• Use the linked vendor release notes and bug/mitigation references to confirm the corrected version and any deployment guidance.

Evidence notes

The source corpus states that ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service by manipulating the poll interval in a broadcast packet. NVD lists vulnerable versions 4.2.8p6, 4.2.8p7, and 4.2.8p8, assigns CVSS 3.0 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, and classifies the weakness as CWE-400. Vendor-linked references include release notes for 4.2.8p9 and an NtpBug3113 mitigation/issue-tracking page. CVE record publication is dated 2017-01-13; the later 2026-05-13 modified timestamp reflects record maintenance, not the vulnerability's original disclosure date.

Official resources