CVE-2016-7984 Tcpdump CVE debrief

Who should care

Anyone running tcpdump to inspect live traffic, parse packet captures, or support network forensics should treat this as urgent—especially security teams, SOC/IR staff, appliance maintainers, and distro package maintainers.

Technical summary

The vulnerable code path is tcpdump’s TFTP parser in print-tftp.c:tftp_print(). A crafted TFTP packet can trigger a buffer overflow, which is why NVD assigns CWE-119 and a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The public record indicates the issue affects tcpdump before 4.9.0, with NVD’s CPE range explicitly including versions up to 4.8.1.

Defensive priority

Urgent

Recommended defensive actions

• Upgrade tcpdump to version 4.9.0 or later, or to the latest vendor-maintained build that includes the fix.
• Prioritize patching systems that analyze untrusted network traffic or untrusted packet capture files.
• Apply the relevant vendor package updates if you deploy distro builds (for example, Debian, Red Hat, or Gentoo packages referenced in the CVE record).
• Inventory hosts, appliances, and forensic workstations to verify the installed tcpdump version and confirm remediation.
• Temporarily minimize use of vulnerable tcpdump versions when processing untrusted captures until patched.

Evidence notes

The evidence corpus includes the CVE description stating “The TFTP parser in tcpdump before 4.9.0 has a buffer overflow in print-tftp.c:tftp_print().” NVD adds a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-119, and its CPE criteria mark tcpdump versions through 4.8.1 as vulnerable. The CVE metadata also references Debian DSA-3775, Red Hat RHSA-2017:1871, Gentoo GLSA 201702-30, SecurityFocus BID 95852, SecurityTracker 1037755, and a Debian bugs mailing list archive entry.

Official resources