CVE-2016-7433
Description
NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NTP before 4.2.8p9 excludes peer dispersion from root distance, causing inaccurate synchronization and potential disruption.
Vulnerability
NTP versions before 4.2.8p9 do not include the peer dispersion when calculating the root distance during initial synchronization [1][4]. This flaw causes the synchronization algorithm to overestimate the root distance, leading to inaccurate time adjustments. The issue is present in all NTP releases prior to 4.2.8p9 [2].
Exploitation
An attacker with network access can send crafted NTP packets to a vulnerable client or server, exploiting the flawed root distance computation. The exact vectors are not publicly disclosed, but the vulnerability can be triggered without authentication [4]. Exploitation likely requires the attacker to be on the network path or to control a malicious NTP server.
Impact
Successful exploitation can degrade time synchronization accuracy, potentially causing clients to reject valid time sources or select incorrect servers. This may lead to incorrect system time, denial of service, or unspecified impacts on time-sensitive protocols [4]. The severity is medium with a CVSS v3 base score of 5.3.
Mitigation
Upgrade to NTP 4.2.8p9 or later, released on November 21, 2016 [2]. Patches are available from Red Hat (RHEL 6 and 7) [1] and FreeBSD (all supported versions) [4]. No workarounds have been published.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21- osv-coords19 versionspkg:rpm/opensuse/ntp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSSpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ntp&distro=SUSE%20Manager%202.1pkg:rpm/suse/ntp&distro=SUSE%20Manager%20Proxy%202.1pkg:rpm/suse/ntp&distro=SUSE%20OpenStack%20Cloud%205
< 4.2.8p9-1.1+ 18 more
- (no CPE)range: < 4.2.8p9-1.1
- (no CPE)range: < 4.2.8p9-55.1
- (no CPE)range: < 4.2.8p9-55.1
- (no CPE)range: < 4.2.8p9-48.9.1
- (no CPE)range: < 4.2.8p9-48.9.1
- (no CPE)range: < 4.2.8p9-48.9.1
- (no CPE)range: < 4.2.8p9-48.9.1
- (no CPE)range: < 4.2.8p9-57.2
- (no CPE)range: < 4.2.8p9-55.1
- (no CPE)range: < 4.2.8p9-55.1
- (no CPE)range: < 4.2.8p9-46.18.1
- (no CPE)range: < 4.2.8p9-55.1
- (no CPE)range: < 4.2.8p9-57.2
- (no CPE)range: < 4.2.8p9-46.18.1
- (no CPE)range: < 4.2.8p9-55.1
- (no CPE)range: < 4.2.8p9-55.1
- (no CPE)range: < 4.2.8p9-48.9.1
- (no CPE)range: < 4.2.8p9-48.9.1
- (no CPE)range: < 4.2.8p9-48.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
25- nwtime.org/ntp428p9_release/nvdRelease NotesVendor Advisory
- support.ntp.org/bin/view/Main/NtpBug3067nvdIssue TrackingMitigationVendor Advisory
- support.ntp.org/bin/view/Main/SecurityNoticenvdVendor Advisory
- www.kb.cert.org/vuls/id/633847nvdThird Party AdvisoryUS Government Resource
- lists.opensuse.org/opensuse-updates/2016-12/msg00153.htmlnvd
- rhn.redhat.com/errata/RHSA-2017-0252.htmlnvd
- www.huawei.com/en/psirt/security-advisories/huawei-sa-20171129-01-ntpd-ennvd
- www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlnvd
- www.securityfocus.com/archive/1/539955/100/0/threadednvd
- www.securityfocus.com/archive/1/540254/100/0/threadednvd
- www.securityfocus.com/archive/1/archive/1/539955/100/0/threadednvd
- www.securityfocus.com/archive/1/archive/1/540254/100/0/threadednvd
- www.securityfocus.com/bid/94455nvd
- www.securitytracker.com/id/1037354nvd
- www.ubuntu.com/usn/USN-3349-1nvd
- bto.bluecoat.com/security-advisory/sa139nvd
- cert-portal.siemens.com/productcert/pdf/ssa-211752.pdfnvd
- h20566.www2.hpe.com/hpsc/doc/public/displaynvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ILMSYVQMMF37MANYEO7KBHOPSC74EKGN/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PABKEYX6ABBFJZGMXKH57X756EJUDS3C/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U5E3XBBCK5IXOLDAH2E4M3QKIYIHUMMP/nvd
- security.freebsd.org/advisories/FreeBSD-SA-16:39.ntp.ascnvd
- us-cert.cisa.gov/ics/advisories/icsa-21-159-11nvd
- www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2017-227nvd
- www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2017-227/nvd
News mentions
0No linked articles in our index yet.