PatchSiren cyber security CVE debrief

CVE-2016-7935 Tcpdump CVE debrief

CVE-2016-7935 is a critical memory-corruption issue in tcpdump’s RTP parser. According to NVD, tcpdump versions through 4.8.1 are affected, and the flaw is a buffer overflow in print-udp.c:rtp_print(). Because tcpdump processes network traffic, the issue is especially important anywhere packet capture or analysis is performed on untrusted input.

Vendor: Tcpdump
Product: CVE-2016-7935
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-28
Original CVE updated: 2026-05-13
Advisory published: 2017-01-28
Advisory updated: 2026-05-13

Who should care

Security teams, Linux distribution maintainers, and operators running tcpdump on untrusted network traffic should care most. This includes packet capture appliances, IDS/monitoring pipelines, and any system that uses tcpdump for live analysis or automated parsing.

Technical summary

The vulnerability is described as a buffer overflow in the RTP parsing path of tcpdump, specifically in print-udp.c:rtp_print(). NVD maps it to CWE-119 and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable parsing flaw with severe confidentiality, integrity, and availability impact potential. The NVD CPE criteria mark tcpdump through 4.8.1 as vulnerable.

Defensive priority

High. Network-facing parsers are high-risk because they may be reached by crafted traffic during routine monitoring. The published severity is critical, and the affected version range covers releases prior to 4.9.0, so upgrade priority should be immediate for any exposed or actively used tcpdump deployment.

Recommended defensive actions

Upgrade tcpdump to a version at or above 4.9.0.
Inventory systems and appliances that ship or embed tcpdump, including distro packages and security tooling.
Prioritize remediation on systems that process untrusted or externally sourced traffic.
Apply vendor or distribution updates referenced in downstream advisories where direct package upgrades are not immediately possible.
Confirm no stale 4.8.1-or-earlier packages remain in base images, golden images, or offline appliances.

Evidence notes

The CVE description states that the RTP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtp_print(). NVD’s affected-version criteria specify tcpdump versions through 4.8.1. NVD also assigns CVSS 3.0 9.8 and CWE-119. Downstream advisories are referenced from Debian, Red Hat, and Gentoo, supporting that the issue was tracked by major vendors. No exploit details are included here beyond the supplied record.

Official resources

CVE-2016-7935 CVE record
CVE.org
CVE-2016-7935 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

CVE published by NVD on 2017-01-28 and modified on 2026-05-13. No Known Exploited Vulnerabilities (KEV) listing is present in the supplied data.