CVE-2016-7922 Tcpdump CVE debrief

Who should care

Security teams, network operations staff, packet-capture analysts, incident responders, and distro/package maintainers running tcpdump or embedding it in troubleshooting workflows.

Technical summary

The issue is a memory-safety bug in tcpdump’s AH parser, specifically a buffer overflow in print-ah.c:ah_print(). NVD assigns CWE-119 and a CVSS 3.0 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a remotely reachable parsing flaw with high impact. The NVD CPE data marks tcpdump versions up to 4.8.1 as vulnerable, while the CVE description states the issue is present in tcpdump before 4.9.0. Downstream advisories from Debian, Red Hat, and Gentoo are listed in the record as corroborating references.

Defensive priority

Immediate — critical severity, network-reachable parser bug, and high confidentiality/integrity/availability impact.

Recommended defensive actions

• Upgrade tcpdump to 4.9.0 or later, or install the vendor-fixed package for your distribution.
• Inventory systems that run tcpdump and prioritize hosts that handle untrusted packet captures or live network data.
• Until patched, limit tcpdump use to trusted inputs and avoid processing capture files from unverified sources.
• Verify remediation against your platform’s advisory or errata feed, including Debian, Red Hat, or Gentoo package guidance where applicable.
• Reconfirm post-upgrade that capture and analysis workflows still function correctly after applying the fix.

Evidence notes

The supplied NVD record describes an AH parser buffer overflow in print-ah.c:ah_print() and assigns CWE-119. The CVE/NVD data published on 2017-01-28 lists tcpdump versions through 4.8.1 as vulnerable, and the record includes downstream advisories from Debian, Red Hat, and Gentoo as corroborating references. The provided enrichment does not mark this CVE as CISA KEV.

Official resources