CVE-2016-7931 Tcpdump CVE debrief

Who should care

Anyone running tcpdump 4.8.1 or earlier, especially systems that process untrusted packet data or rely on tcpdump in operational, forensic, or monitoring workflows. Distribution maintainers and security teams should also verify that packaged tcpdump builds include the fix.

Technical summary

NVD identifies the weakness as CWE-119 and describes a buffer overflow in the MPLS parsing path, specifically print-mpls.c:mpls_print(). The NVD CPE criteria mark tcpdump versions through 4.8.1 as vulnerable, and the record indicates the issue was addressed in tcpdump 4.9.0. Downstream advisories from Debian, Red Hat, and Gentoo are listed in the CVE references, confirming broad vendor tracking of the defect.

Defensive priority

High priority. This is a pre-auth, no-user-interaction flaw with critical CVSS severity, so affected environments should treat remediation as urgent.

Recommended defensive actions

• Upgrade tcpdump to 4.9.0 or a vendor backport that explicitly includes the fix.
• Verify packaged versions in all distributions, appliances, and embedded systems that ship tcpdump.
• Prioritize remediation on hosts that inspect untrusted traffic or process externally supplied packet captures.
• Review downstream advisories and vendor errata to confirm the installed package is no longer affected.
• If immediate upgrade is not possible, reduce exposure by limiting use of tcpdump on untrusted inputs and restricting who can run capture/analysis workflows.

Evidence notes

All claims are drawn from the supplied NVD record and CVE references. NVD states the vulnerability is a buffer overflow in print-mpls.c:mpls_print(), assigns CWE-119, and lists tcpdump versions through 4.8.1 as vulnerable. The record’s CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H with a 9.8 score. Referenced advisories include Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA-201702-30. No exploit details or unsupported remediation claims are included.

Official resources