CVE-2016-7974 Tcpdump CVE debrief

Who should care

Administrators, security teams, forensic analysts, and platform owners running tcpdump on workstations, servers, or network-monitoring systems—especially where tcpdump processes untrusted or attacker-influenced capture data.

Technical summary

The NVD record classifies this issue as CWE-119 and assigns CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The affected product range is tcpdump versions up to 4.8.1, with the issue described as being present before 4.9.0. The flaw is in the IP parser implementation in print-ip.c across multiple functions, which indicates a buffer overflow during packet parsing.

Defensive priority

Critical. This is a high-severity parser overflow in a widely used packet-analysis tool, so remediation should be prioritized wherever tcpdump is installed or embedded in operational workflows.

Recommended defensive actions

• Upgrade tcpdump to 4.9.0 or later, or to a vendor package that explicitly includes the fix.
• Inventory hosts, appliances, and toolchains that ship or depend on tcpdump, including troubleshooting and forensic systems.
• Prioritize systems that analyze untrusted packet captures or live traffic from external networks.
• Apply vendor guidance referenced in the record where applicable, including Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA 201702-30.
• Until patched, reduce exposure by limiting who can run tcpdump and avoiding analysis of untrusted capture inputs where possible.

Evidence notes

Supplied NVD metadata states: tcpdump is affected through version 4.8.1, the weakness is CWE-119, and the CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVE references include Debian, Red Hat, Gentoo, SecurityFocus, SecurityTracker, and a Debian mailing-list discussion. The supplied record also shows the CVE was published on 2017-01-28 and last modified on 2026-05-13.

Official resources