CVE-2016-7929 Tcpdump CVE debrief

Who should care

Anyone running tcpdump on systems that process untrusted packet captures or live traffic should care, especially security teams, incident responders, and package maintainers responsible for backported fixes.

Technical summary

The flaw is a memory-safety bug in tcpdump’s Juniper PPPoE ATM parsing path. According to the CVE description, tcpdump before 4.9.0 is affected, and NVD maps the vulnerable CPE through version 4.8.1. NVD assigns CWE-119 and CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network-reachable, low-complexity issue with high potential impact on confidentiality, integrity, and availability.

Defensive priority

Critical

Recommended defensive actions

• Upgrade tcpdump to 4.9.0 or later, or install the vendor backport provided by your operating system distribution.
• Prioritize patching systems that analyze untrusted packet captures or ingest external network data.
• Verify package versions against the linked vendor advisories, including Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA-201702-30.
• If immediate patching is not possible, restrict use of tcpdump to trusted inputs and minimize exposure to malicious or unknown capture files.

Evidence notes

The core vulnerability details come from the CVE description and NVD metadata: a Juniper PPPoE ATM parser buffer overflow in print-juniper.c:juniper_parse_header(), CWE-119, and CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. NVD’s CPE data marks tcpdump versions through 4.8.1 as vulnerable, while the description states affected releases are before 4.9.0. Supporting official references include Debian DSA-3775, Red Hat RHSA-2017:1871, Gentoo GLSA-201702-30, SecurityFocus, and SecurityTracker.

Official resources