PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7993 Tcpdump CVE debrief

CVE-2016-7993 is a critical tcpdump flaw in util-print.c:relts_print() that can lead to a buffer overflow while parsing multiple protocol families, including DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, and PIM. NVD lists affected tcpdump versions through 4.8.1 and assigns a CVSS 3.0 base score of 9.8 with no privileges or user interaction required. From a defensive standpoint, this is the kind of issue that matters anywhere tcpdump is used against untrusted packet data, such as troubleshooting systems, monitoring hosts, and analysis workflows that process captures from external sources. The safest response is to confirm the installed tcpdump version, move to 4.9.0 or later, and follow any distro-specific security advisories linked to the issue.

Vendor
Tcpdump
Product
CVE-2016-7993
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-28
Original CVE updated
2026-05-13
Advisory published
2017-01-28
Advisory updated
2026-05-13

Who should care

Security teams, Linux/Unix administrators, and anyone operating tcpdump on systems that inspect untrusted traffic or packet capture files. Organizations using distro-packaged tcpdump on monitoring, forensic, or troubleshooting hosts should prioritize this issue because the vulnerable versions are common and the affected code path spans multiple protocol parsers.

Technical summary

The vulnerable function is util-print.c:relts_print() in tcpdump. The public record describes a buffer overflow that can be reached through several protocol parsers, and NVD maps the issue to CWE-119 with a CVSS vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. NVD’s affected-version criteria list tcpdump versions up to and including 4.8.1, while the title and description indicate the issue is fixed in tcpdump 4.9.0.

Defensive priority

High. The score is critical and the affected surface is broad within tcpdump’s packet-parsing and output logic. Systems that analyze attacker-controlled captures or live traffic should be patched promptly.

Recommended defensive actions

  • Upgrade tcpdump to version 4.9.0 or later, or install the vendor package update that includes the fix.
  • Inventory hosts and appliances running tcpdump and identify any versions at or below 4.8.1.
  • Apply distro security advisories referenced in the record, including Debian, Red Hat, and Gentoo guidance where applicable.
  • Treat packet capture files and live traffic from untrusted sources as hostile input until patched.
  • If tcpdump must remain in use temporarily, restrict execution to trusted operators and minimize exposure of analysis systems to untrusted captures.

Evidence notes

The debrief is based on the supplied NVD record and MITRE-linked references only. NVD states the vulnerable version range as tcpdump through 4.8.1, the weakness as CWE-119, and the CVSS vector as AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The public description identifies the affected code path as util-print.c:relts_print() and names the protocol parsers involved. Linked distro advisories confirm downstream vendor awareness and remediation paths.

Official resources

Publicly disclosed and published in the CVE record on 2017-01-28. Timeline context should be anchored to the CVE publication date, not later database modification dates.