CVE-2016-7985 Tcpdump CVE debrief

Who should care

Security teams, Linux distribution maintainers, and operators who rely on tcpdump for packet analysis should treat this as a high-priority patch item, especially where tcpdump may process untrusted capture data or network traffic.

Technical summary

The issue is a CWE-119 buffer overflow in tcpdump’s CALM FAST parser. The supplied corpus describes the vulnerable range as tcpdump versions before 4.9.0, while NVD’s CPE criteria list affected versions through 4.8.1. NVD rates the issue CVSS 3.0 9.8 with network attack vector, low complexity, no privileges, and no user interaction.

Defensive priority

Critical. Patch immediately and verify all packaged tcpdump instances are upgraded to a fixed release or distribution backport.

Recommended defensive actions

• Upgrade tcpdump to a fixed release; the supplied corpus indicates 4.9.0 or later.
• Check distribution advisories and apply vendor package updates from Debian, Red Hat, Gentoo, or your OS vendor.
• Inventory systems and workflows that invoke tcpdump or consume packet captures from untrusted sources.
• Limit exposure of tcpdump to untrusted input until patched, including automated parsing jobs and forensic pipelines.
• Validate that patched versions are deployed everywhere tcpdump is bundled, including appliances and embedded tooling.
• Track affected package versions carefully, since the source corpus shows a version-bound discrepancy between the narrative description and NVD CPE data.

Evidence notes

The description states a buffer overflow in print-calm-fast.c:calm_fast_print() affecting tcpdump before 4.9.0. NVD classifies the weakness as CWE-119 and lists CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. References in the corpus point to Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA 201702-30.

Official resources