CVE-2016-7992 Tcpdump CVE debrief

Who should care

Security teams, Linux distribution maintainers, and anyone running tcpdump or tcpdump-derived packages should pay attention, especially where the tool processes untrusted packet captures or live network traffic. Organizations that rely on packet analysis in incident response, monitoring, or automation should prioritize patching.

Technical summary

The CVE describes a buffer overflow in tcpdump’s Classical IP over ATM parser, specifically in print-cip.c:cip_if_print(). NVD maps the weakness to CWE-119 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVE description states tcpdump versions before 4.9.0 are affected; NVD’s affected-version data lists tcpdump through 4.8.1.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade tcpdump to a fixed release, or install the vendor-maintained security update for your distribution.
• Confirm deployed package versions across hosts, containers, and appliances that include tcpdump.
• If tcpdump must handle untrusted captures, isolate it in a restricted environment and minimize privileges.
• Review automation or scheduled jobs that parse packet captures and ensure they use patched binaries.
• Track vendor advisories from your distribution for backported fixes and package-specific remediation guidance.

Evidence notes

The CVE record and NVD entry identify a buffer overflow in tcpdump’s Classical IP over ATM parser at print-cip.c:cip_if_print(). The supplied NVD metadata lists a CVSS 3.0 score of 9.8 and CWE-119. The CVE description says affected releases are before 4.9.0, while NVD’s version-range data lists vulnerability through 4.8.1. Referenced vendor and distribution advisories include Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA 201702-30.

Official resources