PatchSiren cyber security CVE debrief

CVE-2016-7928 Tcpdump CVE debrief

CVE-2016-7928 is a critical memory-corruption issue in tcpdump’s IPComp parser. The CVE description identifies a buffer overflow in print-ipcomp.c:ipcomp_print(), and NVD rates the issue 9.8 with network attack vector, no privileges, and no user interaction. For defense, prioritize upgrading to fixed tcpdump builds and verifying any distribution backports before relying on package version numbers alone.

Vendor: Tcpdump
Product: CVE-2016-7928
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-28
Original CVE updated: 2026-05-13
Advisory published: 2017-01-28
Advisory updated: 2026-05-13

Who should care

Security teams, Linux distribution maintainers, network operations groups, incident responders, and anyone running tcpdump on hosts that analyze untrusted traffic or packet captures should treat this as important. It also matters for build pipelines and appliances that bundle tcpdump for diagnostics.

Technical summary

The flaw is classified as CWE-119 and affects the IPComp parser path in tcpdump. The vulnerability is described as a buffer overflow in print-ipcomp.c:ipcomp_print(). The CVE text says tcpdump versions before 4.9.0 are affected, while the current NVD CPE criteria enumerates tcpdump versions up to 4.8.1. That combination suggests defenders should confirm vendor/package advisories and backport status rather than relying on a single version label.

Defensive priority

Immediate. The published CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates low complexity and potentially full impact. Patch or replace vulnerable builds as soon as possible, especially on systems that process untrusted capture data.

Recommended defensive actions

Upgrade tcpdump to 4.9.0 or later, or install a vendor backport that explicitly fixes CVE-2016-7928.
Check distribution advisories and package changelogs for patched builds, including Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA 201702-30.
Inventory hosts and tools that invoke tcpdump for capture analysis, troubleshooting, or automated packet inspection.
Minimize exposure to untrusted packet captures and traffic sources until patched systems are confirmed.
Verify remediation by comparing installed package metadata against the vendor advisory, not just the upstream version string.

Evidence notes

The CVE record and NVD detail both identify tcpdump as the affected product and describe a buffer overflow in the IPComp parser at print-ipcomp.c:ipcomp_print(). NVD assigns CVSS 3.0 9.8 and CWE-119. The supplied record metadata includes reference advisories from Debian, Red Hat, and Gentoo. Timing context comes from the CVE publishedAt value of 2017-01-28T01:59:00.327Z; the 2026-05-13 modifiedAt value reflects record maintenance, not the vulnerability’s disclosure date.

Official resources

CVE-2016-7928 CVE record
CVE.org
CVE-2016-7928 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the CVE/NVD record on 2017-01-28, with follow-on vendor and distribution advisories issued in 2017.