PatchSiren cyber security CVE debrief

CVE-2016-7926 Tcpdump CVE debrief

CVE-2016-7926 is a critical memory-corruption flaw in tcpdump’s Ethernet parsing code. When tcpdump processes crafted Ethernet-type data, the vulnerable parser path can overflow a buffer in print-ether.c:ethertype_print(), creating a high-risk condition for affected deployments. NVD rates the issue 9.8 (CVSS v3.0) and lists tcpdump 4.8.1 and earlier as affected.

Vendor: Tcpdump
Product: CVE-2016-7926
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-28
Original CVE updated: 2026-05-13
Advisory published: 2017-01-28
Advisory updated: 2026-05-13

Who should care

Organizations that use tcpdump to inspect untrusted or attacker-influenced packet data should treat this as urgent, especially security teams, network operations teams, and anyone shipping tcpdump in appliances, appliances images, or automated capture pipelines.

Technical summary

The CVE description identifies a buffer overflow in the Ethernet parser implementation, specifically print-ether.c:ethertype_print(). NVD maps the weakness to CWE-119 and assigns CVSS v3.0 9.8 with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality, integrity, and availability impact. The NVD CPE criteria mark tcpdump 4.8.1 and earlier as vulnerable.

Defensive priority

Urgent. This is a critical parser memory-safety issue with no privileges or user interaction required in the CVSS record, so affected tcpdump installations should be prioritized for upgrade or replacement.

Recommended defensive actions

Upgrade tcpdump to a non-vulnerable version; the CVE description indicates the issue is addressed in 4.9.0 and later.
Inventory systems that include tcpdump, including embedded appliances and build pipelines, and confirm the installed version.
Restrict use of tcpdump on untrusted traffic or untrusted capture files until patched.
If immediate upgrade is not possible, minimize exposure by limiting who can run packet capture and by isolating analysis systems from production traffic where feasible.
Validate downstream vendor advisories and package updates referenced in the CVE record (for example Debian, Red Hat, and Gentoo) to ensure the patched package is installed.

Evidence notes

Evidence is drawn from the CVE/NVD record supplied in the source corpus. The description states a buffer overflow in tcpdump’s Ethernet parser at print-ether.c:ethertype_print(). NVD lists the weakness as CWE-119, gives CVSS v3.0 9.8, and marks tcpdump 4.8.1 and earlier as affected. The CVE record also references Debian, Red Hat, Gentoo, SecurityFocus, SecurityTracker, and Debian mailing list sources.

Official resources

CVE-2016-7926 CVE record
CVE.org
CVE-2016-7926 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the CVE/NVD record on 2017-01-28; the source record was last modified on 2026-05-13.