Unrated severityNVD Advisory· Published Dec 20, 2014· Updated May 6, 2026

CVE-2014-9296

Description

The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing return on error in ntpd's receive function allows remote attackers to trigger unintended association changes via crafted packets.

Vulnerability

The receive function in ntp_proto.c in ntpd before version 4.2.8 fails to return after detecting a certain authentication error, causing execution to continue. This allows crafted packets to trigger unintended association changes. Affected versions: NTP before 4.2.8. [1][3]

Exploitation

An unauthenticated remote attacker can send specially crafted NTP packets to a vulnerable ntpd instance. The missing return on error means the code continues processing despite authentication failure, enabling the attacker to manipulate associations. [1][4]

Impact

Successful exploitation could allow an attacker to cause an unintended association change, potentially leading to denial of service or other unspecified impacts. The Cisco advisory notes that this vulnerability is part of a set that could allow remote code execution or DoS, but for this specific CVE the impact is limited to association manipulation. [1][4]

Mitigation

The vulnerability is fixed in NTP version 4.2.8, released on December 19, 2014. Users should upgrade to 4.2.8 or later. Cisco and HP have released advisories with patches. No workaround is mentioned in the references. [1][2][3][4]

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Ntp/Ntp2 versions
cpe:2.3:a:ntp:ntp:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:ntp:ntp:*:*:*:*:*:*:*:*range: <=4.2.7
- (no CPE)range: <4.2.8
osv-coords
pkg:rpm/opensuse/ntp&distro=openSUSE%20Tumbleweed
Range: < 4.2.8p9-1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bk1.ntp.org/ntp-dev/nvdExploit
support.ntp.org/bin/view/Main/SecurityNoticenvdVendor Advisory
www.kb.cert.org/vuls/id/852879nvdThird Party AdvisoryUS Government Resource
advisories.mageia.org/MGASA-2014-0541.htmlnvd
bugs.ntp.org/show_bug.cginvd
lists.opensuse.org/opensuse-security-announce/2014-12/msg00020.htmlnvd
marc.infonvd
marc.infonvd
marc.infonvd
rhn.redhat.com/errata/RHSA-2015-0104.htmlnvd
secunia.com/advisories/62209nvd
www.mandriva.com/security/advisoriesnvd
www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlnvd
www.securityfocus.com/bid/71758nvd
bugzilla.redhat.com/show_bug.cginvd
h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
kc.mcafee.com/corporate/indexnvd
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpdnvd
www.arista.com/en/support/advisories-notices/security-advisories/1047-security-advisory-8nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.020
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000