PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7983 Tcpdump CVE debrief

CVE-2016-7983 is a critical memory-corruption flaw in tcpdump's BOOTP parser. According to the CVE record, the issue is a buffer overflow in print-bootp.c:bootp_print() affecting tcpdump versions before 4.9.0. NVD rates the issue CVSS 3.0 9.8 and classifies it as CWE-119. The NVD CPE criteria also mark tcpdump versions through 4.8.1 as vulnerable. Because the vector is network-reachable, requires no privileges, and needs no user interaction, it should be treated as a high-priority patching issue for environments that process untrusted packet captures or traffic.

Vendor
Tcpdump
Product
CVE-2016-7983
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-28
Original CVE updated
2026-05-13
Advisory published
2017-01-28
Advisory updated
2026-05-13

Who should care

Security teams running tcpdump on servers, appliances, analysis workstations, packet capture pipelines, and any automation that parses untrusted network traffic should care immediately. This is especially important where tcpdump is used in incident response, monitoring, or scheduled parsing jobs, because the affected code is in packet decoding logic that may be reached by hostile input.

Technical summary

The flaw is a buffer overflow in the BOOTP parsing path inside bootp_print(). The CVE record and NVD both identify it as a CWE-119 memory-safety issue. NVD assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network-reachable issue with no privileges or user interaction required and potentially severe confidentiality, integrity, and availability impact. The vulnerability applies to tcpdump versions before 4.9.0; NVD's vulnerable CPE range explicitly includes versions through 4.8.1.

Defensive priority

High. The combination of critical CVSS, unauthenticated reachability, and parser-side memory corruption makes this an urgent upgrade item for any system that may parse attacker-controlled or otherwise untrusted network data.

Recommended defensive actions

  • Upgrade tcpdump to 4.9.0 or later, using your vendor's supported package update path.
  • Check packaged versions in Debian, Red Hat, and Gentoo advisories referenced in the CVE record to confirm fixed builds for your distribution.
  • Reduce exposure by limiting where tcpdump is run on untrusted capture files or live traffic until patched.
  • Inventory scripts, scheduled jobs, and troubleshooting workflows that invoke tcpdump, including nested dependencies in security tooling.
  • Verify deployed versions against the NVD vulnerable range and your vendor's backport status before closing remediation.

Evidence notes

The CVE description states: 'The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print().' NVD assigns CVSS 3.0 9.8 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and lists CWE-119. NVD CPE criteria mark tcpdump through 4.8.1 as vulnerable. The CVE was published on 2017-01-28; the later 2026-05-13 modified timestamp is a record update, not the issue date.

Official resources

The CVE was published on 2017-01-28. The supplied record shows later metadata modification on 2026-05-13, but no KEV listing or ransomware linkage was provided in the source corpus.