CVE-2016-7924 Tcpdump CVE debrief

Who should care

Security teams, Linux distribution maintainers, and administrators who deploy tcpdump for packet capture or troubleshooting should treat this as urgent. It is also relevant to any environment where tcpdump is installed on servers, appliances, or analyst workstations and may process untrusted capture data.

Technical summary

NVD identifies the weakness as CWE-119 and lists affected tcpdump versions through 4.8.1. The flaw is in the ATM parsing path, where malformed input can trigger a buffer overflow in oam_print(). The published CVSS vector indicates a remotely reachable, low-complexity issue with no authentication or user interaction required and potential high impact on confidentiality, integrity, and availability.

Defensive priority

Urgent

Recommended defensive actions

• Upgrade tcpdump to 4.9.0 or install your vendor’s fixed package immediately.
• Confirm no hosts remain on tcpdump 4.8.1 or earlier, including embedded or long-lived appliance images.
• Apply distributor advisories and security errata referenced for this CVE, such as Debian, Red Hat, and Gentoo package updates.
• If tcpdump is not required on a system, remove it or restrict access to reduce exposure.
• Validate remediation by checking installed package versions after patching.

Evidence notes

The NVD record and CVE metadata state that the issue is a buffer overflow in print-atm.c:oam_print() and that versions through 4.8.1 are vulnerable. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, supporting urgent prioritization. Officially listed remediation references include Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA 201702-30.

Official resources