PatchSiren cyber security CVE debrief

CVE-2017-5485 Tcpdump CVE debrief

CVE-2017-5485 is a critical buffer overflow in tcpdump’s ISO CLNS parser, specifically addrtoname.c:lookup_nsap(). The official record rates it CVSS 9.8 and maps affected tcpdump releases through 4.8.1. Systems that use tcpdump to process untrusted network traffic or packet data should be updated to a fixed release as a high priority.

Vendor: Tcpdump
Product: CVE-2017-5485
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-28
Original CVE updated: 2026-05-13
Advisory published: 2017-01-28
Advisory updated: 2026-05-13

Who should care

Security and platform teams that install or package tcpdump, administrators running packet capture or analysis workflows, and teams that process untrusted network traffic or capture data. Linux distribution maintainers should also confirm they have pulled in the vendor backports or errata tied to their packages.

Technical summary

The vulnerability is a memory-safety flaw in tcpdump’s ISO CLNS parsing path. The CVE description states that the parser in addrtoname.c:lookup_nsap() has a buffer overflow. NVD classifies the weakness as CWE-119 and gives the issue a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The NVD CPE criteria mark tcpdump versions up to and including 4.8.1 as vulnerable, consistent with the description noting impact before 4.9.0.

Defensive priority

Immediate. This is a remotely reachable parser memory-corruption issue with critical severity, so patching or replacing affected tcpdump builds should be treated as urgent.

Recommended defensive actions

Upgrade tcpdump to a fixed release at 4.9.0 or later, or install the vendor backport/errata provided by your Linux distribution.
Inventory systems and automation that invoke tcpdump, especially where it may process untrusted traffic, packet captures, or uploaded traces.
If patching cannot be immediate, limit exposure by restricting who can run tcpdump and what inputs it can analyze.
Confirm package updates against vendor advisories for your platform, since the supplied references include Debian, Red Hat, and Gentoo notices for this CVE.
After remediation, verify the installed tcpdump version and retest packet-analysis workflows with nonproduction data.

Evidence notes

This debrief is based on the official CVE/NVD record and linked distributor advisories. The supplied NVD metadata describes a buffer overflow in addrtoname.c:lookup_nsap(), assigns CVSS 3.0 9.8, and identifies tcpdump versions through 4.8.1 as vulnerable. The CVE was published on 2017-01-28 and later modified in the NVD record on 2026-05-13; that later metadata update does not change the original disclosure date.

Official resources

CVE-2017-5485 CVE record
CVE.org
CVE-2017-5485 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the CVE record on 2017-01-28. The supplied NVD metadata was modified on 2026-05-13, but that is not the vulnerability issue date. No Known Exploited Vulnerabilities (KEV) entry was provided in the supplied enrichment.