CVE-2015-8158
Description
The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (infinite loop) via crafted packets with incorrect values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The getresponse function in ntpq before NTP 4.2.8p6 can loop infinitely when processing crafted packets, causing denial of service.
Vulnerability
The getresponse function in ntpq processes incoming packets in a loop. The loop only terminates on a complete correct response or a few specific error conditions. If a crafted packet contains incorrect values that do not trigger any error condition, the loop continues indefinitely, causing an infinite loop. This affects NTP versions prior to 4.2.8p6 and 4.3.x prior to 4.3.90 [4]. Note that this is an attack against ntpq, not ntpd.
Exploitation
An attacker can trigger the infinite loop by sending crafted packets to an ntpq client. The attacker must either own a malicious NTP server that the client trusts, prevent the legitimate server from sending packets to the client, or perform a man-in-the-middle (MITM) attack on the ntpq communication [4]. No authentication is required, but the attacker must have network access to the client and be able to send packets with incorrect values.
Impact
Successful exploitation causes a denial of service (DoS) through an infinite loop, consuming client resources and rendering ntpq unresponsive. There is no impact on confidentiality or integrity, and the CVSS v3 score is 5.9 (medium) [4].
Mitigation
Upgrade to NTP 4.2.8p6 or later, or to 4.3.90 or later [4]. Updated packages are available for various distributions, such as Red Hat Enterprise Linux [1] and FreeBSD [2]. If an upgrade is not immediately possible, restrict network access to ntpq clients and only use them against trusted NTP servers.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
115cpe:2.3:a:ntp:ntp:4.3.0:*:*:*:*:*:*:*+ 90 more
- cpe:2.3:a:ntp:ntp:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.18:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.21:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.22:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.23:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.25:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.27:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.28:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.29:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.30:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.31:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.32:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.33:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.34:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.35:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.36:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.37:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.38:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.39:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.40:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.41:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.42:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.43:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.44:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.45:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.46:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.47:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.48:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.49:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.50:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.51:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.52:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.53:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.54:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.55:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.56:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.57:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.58:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.59:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.60:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.61:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.62:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.63:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.64:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.65:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.66:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.67:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.68:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.69:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.70:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.71:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.72:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.73:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.74:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.75:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.76:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.77:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.78:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.79:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.80:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.81:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.82:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.83:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.84:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.85:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.86:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.87:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.88:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.89:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:*:p5:*:*:*:*:*:*range: <=4.2.8
- (no CPE)range: <4.2.8p9
- osv-coords24 versionspkg:rpm/opensuse/ntp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSSpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ntp&distro=SUSE%20Manager%202.1pkg:rpm/suse/ntp&distro=SUSE%20Manager%20Proxy%202.1pkg:rpm/suse/ntp&distro=SUSE%20OpenStack%20Cloud%205pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSSpkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%2012pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1
< 4.2.8p9-1.1+ 23 more
- (no CPE)range: < 4.2.8p9-1.1
- (no CPE)range: < 4.2.8p6-46.5.2
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-46.5.2
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-46.5.2
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 3.1.12.4-8.2
- (no CPE)range: < 3.1.22-6.2
- (no CPE)range: < 2.17.14.1-1.12.1
- (no CPE)range: < 3.1.12.4-8.2
- (no CPE)range: < 3.1.22-6.2
- (no CPE)range: < 3.1.12.4-8.2
- (no CPE)range: < 3.1.22-6.2
- (no CPE)range: < 3.1.12.4-8.2
- (no CPE)range: < 3.1.22-6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- support.ntp.org/bin/view/Main/NtpBug2948nvdVendor Advisory
- www.securityfocus.com/bid/81814nvdThird Party AdvisoryVDB Entry
- www.kb.cert.org/vuls/id/718152nvdThird Party AdvisoryUS Government Resource
- rhn.redhat.com/errata/RHSA-2016-2583.htmlnvd
- www.debian.org/security/2016/dsa-3629nvd
- www.securitytracker.com/id/1034782nvd
- h20566.www2.hpe.com/hpsc/doc/public/displaynvd
- h20566.www2.hpe.com/hpsc/doc/public/displaynvd
- security.freebsd.org/advisories/FreeBSD-SA-16:09.ntp.ascnvd
- security.gentoo.org/glsa/201607-15nvd
- security.netapp.com/advisory/ntap-20171031-0001/nvd
News mentions
0No linked articles in our index yet.