PatchSiren cyber security CVE debrief

CVE-2016-7930 Tcpdump CVE debrief

CVE-2016-7930 is a critical memory-safety issue in tcpdump’s LLC/SNAP parser. The flaw is in print-llc.c:llc_print() and can lead to a buffer overflow when tcpdump processes crafted input. NVD rates the issue 9.8/10 and lists affected tcpdump versions through 4.8.1, with tcpdump 4.9.0 as the fixed release target referenced by the vulnerability description.

Vendor: Tcpdump
Product: CVE-2016-7930
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-28
Original CVE updated: 2026-05-13
Advisory published: 2017-01-28
Advisory updated: 2026-05-13

Who should care

Administrators, incident responders, and security teams that run tcpdump on untrusted packet captures or live traffic should treat this as high priority, especially on systems where tcpdump is used routinely for troubleshooting or automated analysis.

Technical summary

NVD describes the weakness as a buffer overflow in tcpdump’s LLC/SNAP parsing path, specifically print-llc.c:llc_print(), mapped to CWE-119. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network-reachable issue with no privileges or user interaction required and potential high impact to confidentiality, integrity, and availability. NVD’s affected CPE range includes tcpdump versions up to 4.8.1.

Defensive priority

Urgent. This is a critical, unauthenticated, network-reachable parser bug in a widely used analysis tool, so systems exposing tcpdump to untrusted traffic or captures should be prioritized for upgrade and exposure reduction.

Recommended defensive actions

Upgrade tcpdump to 4.9.0 or later, or to a vendor package that explicitly includes the fix.
Check systems and images for tcpdump versions at or below 4.8.1, using package inventory or software composition tools.
Limit tcpdump use on untrusted captures and live traffic to trusted, controlled workflows until patched.
Review vendor advisories referenced in the CVE record, including Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA-201702-30, for distro-specific remediation guidance.
If immediate upgrading is not possible, reduce exposure by removing unnecessary tcpdump installations and restricting who can run packet-analysis jobs on sensitive systems.

Evidence notes

The debrief is based on the NVD CVE record and the CVE description supplied in the source corpus. NVD lists the issue as a CWE-119 buffer overflow with CVSS 9.8 and affected tcpdump versions through 4.8.1. Supporting vendor and third-party references in the record include Debian DSA-3775, Red Hat RHSA-2017:1871, Gentoo GLSA-201702-30, SecurityFocus BID 95852, and SecurityTracker 1037755.

Official resources

CVE-2016-7930 CVE record
CVE.org
CVE-2016-7930 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

CVE published on 2017-01-28. The supplied NVD snapshot was modified on 2026-05-13. Use the CVE publication date as the issue disclosure date and the modified date only as record maintenance context.