PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5204 Redhat CVE debrief

CVE-2017-5204 is a critical buffer overflow in tcpdump’s IPv6 parsing path, specifically print-ip6.c:ip6_print(), affecting tcpdump versions before 4.9.0. The NVD record rates the issue 9.8 (CVSS v3.0) with network attack vector, no privileges required, and no user interaction. In practical terms, any environment that uses tcpdump to analyze untrusted packet data should treat this as an urgent patch item because malformed IPv6 traffic or captures could trigger memory corruption during parsing.

Vendor
Redhat
Product
CVE-2017-5204
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-28
Original CVE updated
2026-05-13
Advisory published
2017-01-28
Advisory updated
2026-05-13

Who should care

Security teams, Linux administrators, network engineers, and anyone running tcpdump on systems that ingest untrusted packet captures or live network traffic. Downstream distro maintainers and fleets on Debian, Red Hat Enterprise Linux, or Gentoo should also verify they have the vendor-fixed package versions referenced in the advisories.

Technical summary

The vulnerability is a classic memory-safety flaw in tcpdump’s IPv6 output/parser code path. NVD identifies the weakness as CWE-119 and maps the affected software to tcpdump before 4.9.0. The supplied CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that a remotely reachable parsing path can lead to high-impact confidentiality, integrity, and availability consequences. The record also includes downstream vendor advisories, showing that multiple Linux distributions shipped fixes for the issue.

Defensive priority

Critical and immediate for any asset that runs tcpdump against untrusted input. Even if tcpdump is used only by administrators, the attack surface is the parser itself, so the safest assumption is to patch or remove the vulnerable version from workflows that handle external captures as soon as possible.

Recommended defensive actions

  • Upgrade tcpdump to 4.9.0 or a vendor-fixed package from your distribution.
  • Inventory systems and appliances that include tcpdump, including troubleshooting hosts and packet-capture pipelines.
  • Prioritize remediation on systems that analyze untrusted traffic, customer-provided pcap files, or live network mirrors.
  • Apply the relevant downstream advisory updates referenced in the NVD record, including Debian, Red Hat, and Gentoo fixes where applicable.
  • If immediate patching is not possible, isolate vulnerable tcpdump usage from untrusted capture sources until remediation is complete.

Evidence notes

The supplied NVD record states: 'The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print().' NVD marks the issue as CWE-119 and provides the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The record’s references include Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA 201702-30, supporting downstream remediation evidence. Timing context comes from the supplied CVE publishedAt 2017-01-28 and modifiedAt 2026-05-13 fields.

Official resources

Publicly disclosed on 2017-01-28 per the supplied CVE publishedAt/NVD record; the supplied record was last modified on 2026-05-13. Downstream advisories in Debian, Red Hat, and Gentoo are included in the NVD references.