VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 3, 2019· Updated Dec 3, 2025

CVE-2018-14461

CVE-2018-14461

Description

A buffer over-read in tcpdump's LDP parser before version 4.9.3 allows remote attackers to crash the program or potentially execute arbitrary code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer over-read in tcpdump's LDP parser before version 4.9.3 allows remote attackers to crash the program or potentially execute arbitrary code.

Vulnerability

A buffer over-read vulnerability exists in the LDP (Label Distribution Protocol) parser of tcpdump versions prior to 4.9.3. The bug is located in the print-ldp.c file within the ldp_tlv_print() function. By sending a specially crafted LDP packet, a remote attacker can trigger the over-read when tcpdump attempts to process TLV (Type-Length-Value) fields [2][3]. No special configuration is required beyond running tcpdump on an interface that receives the malicious traffic.

Exploitation

An attacker does not require authentication or any prior access. The attacker only needs to send a crafted LDP packet to a network segment where tcpdump is passively capturing traffic. When tcpdump processes the packet, the ldp_tlv_print() function reads beyond the bounds of a buffer. No user interaction is needed beyond the target running tcpdump in capture mode [2][3].

Impact

Successful exploitation can cause tcpdump to crash, resulting in a denial of service. In some cases, the over-read may allow arbitrary code execution, depending on the system and memory layout [2][3]. The attacker gains no persistent access but can disrupt network monitoring or potentially execute code with the privileges of the tcpdump process.

Mitigation

The vulnerability is fixed in tcpdump version 4.9.3. For Ubuntu systems, the fixed packages are available: Ubuntu 18.04 LTS received tcpdump 4.9.3-0ubuntu0.18.04.1, and updates are also provided for Ubuntu 12.04 ESM and 14.04 ESM via USN-4252-2 [2][3]. Users should upgrade tcpdump to version 4.9.3 or later. If upgrading is not possible, avoid capturing traffic from untrusted networks as a workaround.

References
  1. USN-4252-2: tcpdump vulnerabilities | Ubuntu security notices | Ubuntu
  2. USN-4252-1: tcpdump vulnerabilities | Ubuntu security notices | Ubuntu

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11

Patches

2
d9a693b04326

VERSION set for release

https://github.com/the-tcpdump-group/tcpdumpMichael RichardsonSep 30, 2019via osv
commit
1 file changed · +1 1
  • VERSION+1 1 modified
    @@ -1 +1 @@
-4.9.3rc2
+4.9.3
aa5c6b710dfd

(for 4.9.3) CVE-2018-14461/LDP: Fix a bounds check

https://github.com/the-tcpdump-group/tcpdumpFrancois-Xavier Le BailOct 8, 2017via osv
commit
4 files changed · +13 3
  • print-ldp.c+6 3 modified
    @@ -29,6 +29,8 @@
 #include "l2vpn.h"
 #include "af.h"
 
+static const char tstr[] = " [|LDP]";
+
 /*
  * ldp common header
  *
@@ -486,14 +488,15 @@ ldp_tlv_print(netdissect_options *ndo,
 	break;
 
     case LDP_TLV_FT_SESSION:
-	TLV_TCHECK(8);
+	TLV_TCHECK(12);
 	ft_flags = EXTRACT_16BITS(tptr);
 	ND_PRINT((ndo, "\n\t      Flags: [%sReconnect, %sSave State, %sAll-Label Protection, %s Checkpoint, %sRe-Learn State]",
 	       ft_flags&0x8000 ? "" : "No ",
 	       ft_flags&0x8 ? "" : "Don't ",
 	       ft_flags&0x4 ? "" : "No ",
 	       ft_flags&0x2 ? "Sequence Numbered Label" : "All Labels",
 	       ft_flags&0x1 ? "" : "Don't "));
+	/* 16 bits (FT Flags) + 16 bits (Reserved) */
 	tptr+=4;
 	ui = EXTRACT_32BITS(tptr);
 	if (ui)
@@ -534,7 +537,7 @@ ldp_tlv_print(netdissect_options *ndo,
     return(tlv_len+4); /* Type & Length fields not included */
 
 trunc:
-    ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+    ND_PRINT((ndo, "%s", tstr));
     return 0;
 
 badtlv:
@@ -692,7 +695,7 @@ ldp_pdu_print(netdissect_options *ndo,
     }
     return pdu_len+4;
 trunc:
-    ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+    ND_PRINT((ndo, "%s", tstr));
     return 0;
 }
  • tests/ldp-ldp_tlv_print-oobr.out+6 0 added
    @@ -0,0 +1,6 @@
+IP (tos 0x0, id 4608, offset 0, flags [+, DF, rsvd], proto UDP (17), length 25600, options (EOL), bad cksum 8e (->4023)!)
+    24.250.219.0.4098 > 0.0.0.0.646: 
+	LDP, Label-Space-ID: 0.0.127.255:796, pdu-length: 514
+	  Address Withdraw Message (0x0301), length: 22, Message ID: 0x00001600, Flags: [ignore if unknown]
+	    Unknown TLV (0x0404), length: 0, Flags: [ignore and don't forward if unknown]
+	    Fault-Tolerant Session Parameters TLV (0x0503), length: 8, Flags: [ignore and don't forward if unknown] [|LDP] [|LDP]
  • tests/ldp-ldp_tlv_print-oobr.pcap+0 0 added
  • tests/TESTLIST+1 0 modified
    @@ -552,6 +552,7 @@ ospf6_decode_v3_asan	ospf6_decode_v3_asan.pcap	ospf6_decode_v3_asan.out -v
 ip_ts_opts_asan		ip_ts_opts_asan.pcap		ip_ts_opts_asan.out	-v
 isakmpv1-attr-oobr	isakmpv1-attr-oobr.pcap		isakmpv1-attr-oobr.out	-v
 isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
+ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v -c1
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr	hncp_dhcpv6data-oobr.pcap	hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr	hncp_dhcpv4data-oobr.pcap	hncp_dhcpv4data-oobr.out -v -c1

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.