CVE-2016-7975 Tcpdump CVE debrief

Who should care

Security teams, Linux/Unix administrators, SOC and incident response teams, and package maintainers who run tcpdump on systems that analyze untrusted packet captures or live network traffic.

Technical summary

The vulnerable code path is the TCP parser in print-tcp.c:tcp_print(). NVD classifies the weakness as CWE-119 (buffer overflow). The CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable parsing flaw that can be triggered without privileges or user interaction and can have high impact. NVD's vulnerable CPE scope covers tcpdump up to 4.8.1.

Defensive priority

High. Because this is a pre-authentication parsing flaw in a common packet analysis tool, systems that process untrusted traffic or capture files should be prioritized for patching and version verification.

Recommended defensive actions

• Inventory all tcpdump installations and identify affected versions.
• Upgrade tcpdump to 4.9.0 or later, or apply the vendor/distro package update referenced by your platform.
• Prioritize systems that inspect untrusted packet captures or live network traffic.
• Verify remediation with package/version checks after updating.
• If patching is delayed, reduce exposure by avoiding untrusted captures on affected binaries and isolating impacted systems until fixed.

Evidence notes

Primary evidence comes from the official CVE and NVD records, which identify the TCP parser buffer overflow in tcpdump, the print-tcp.c:tcp_print() location, the CWE-119 classification, the CVSS 3.0 9.8 score, and the vulnerable version range through 4.8.1. The source metadata also lists downstream advisories from Debian, Red Hat, Gentoo, SecurityFocus, SecurityTracker, and a Debian bug thread as corroborating references.

Official resources