PatchSiren cyber security CVE debrief

CVE-2016-7986 Tcpdump CVE debrief

CVE-2016-7986 is a critical buffer overflow in tcpdump’s GeoNetworking parser, affecting print-geonet.c and multiple functions. NVD assigns a CVSS 3.0 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating remote, low-complexity impact with no privileges or user interaction required. The CVE record and vendor advisories indicate affected tcpdump releases before 4.9.0, while NVD’s vulnerable CPE range ends at 4.8.1.

Vendor: Tcpdump
Product: CVE-2016-7986
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-28
Original CVE updated: 2026-05-13
Advisory published: 2017-01-28
Advisory updated: 2026-05-13

Who should care

Security teams running tcpdump on systems that process untrusted packet captures or monitor untrusted network traffic should prioritize this. Distribution maintainers and platform teams should also care, since the supplied references include Debian, Red Hat, and Gentoo advisories tied to this issue.

Technical summary

The vulnerability is a buffer overflow in tcpdump’s GeoNetworking packet parser, specifically in print-geonet.c across multiple functions. NVD classifies the weakness as CWE-119. The issue is exposed during packet parsing, and the published CVSS vector indicates a network-reachable, low-complexity condition with no privileges or user interaction required. The supplied corpus shows affected tcpdump versions before 4.9.0, with NVD mapping vulnerability coverage through 4.8.1.

Defensive priority

High. This is a critical parser memory-safety flaw in a widely used network analysis tool, with a 9.8 CVSS score and potential high impact on confidentiality, integrity, and availability.

Recommended defensive actions

Upgrade tcpdump to a version that includes the fix; the supplied references indicate the vulnerable range is before 4.9.0.
Review package or distribution advisories referenced here (Debian, Red Hat, Gentoo) to confirm the appropriate fixed package for your platform.
Prioritize remediation on systems that analyze untrusted packet captures or exposed network traffic.
If immediate upgrading is not possible, reduce exposure by limiting who can run tcpdump and what captures it processes.
Track asset inventories for installed tcpdump versions so vulnerable releases can be identified quickly.

Evidence notes

All claims are limited to the supplied corpus. The CVE description states that tcpdump before 4.9.0 has a buffer overflow in the GeoNetworking parser in print-geonet.c, multiple functions. NVD lists CWE-119 and CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The supplied NVD metadata also maps affected tcpdump versions through 4.8.1. References in the corpus include Debian, Red Hat, and Gentoo advisories.

Official resources

CVE-2016-7986 CVE record
CVE.org
CVE-2016-7986 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the CVE record on 2017-01-28. The supplied source metadata was last modified on 2026-05-13, but that date reflects record updates, not the original vulnerability disclosure date.