CVE-2018-14464
Description
tcpdump before 4.9.3 has a buffer over-read in the LMP parser (lmp_print_data_link_subobjs) that can lead to denial of service or arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
tcpdump before 4.9.3 has a buffer over-read in the LMP parser (lmp_print_data_link_subobjs) that can lead to denial of service or arbitrary code execution.
Vulnerability
The LMP (Link Management Protocol) parser in tcpdump versions before 4.9.3 contains a buffer over-read vulnerability in the function lmp_print_data_link_subobjs() located in print-lmp.c. This flaw occurs when parsing crafted LMP packets, allowing an attacker to cause the parser to read beyond the bounds of an allocated buffer. The vulnerability is triggered when tcpdump is used to capture or process network traffic containing malicious LMP data [2][3][4].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted LMP packet over the network. No authentication or special user interaction is required other than having the target run tcpdump to capture the malicious traffic. The attacker does not need to be on the same network segment if they can inject packets into a path that tcpdump monitors, though successful exploitation depends on tcpdump processing the crafted packet. The crash or potential code execution occurs during the parsing of the malformed LMP data [2][3].
Impact
Successful exploitation of the buffer over-read can result in a denial of service (tcpdump crash) or, as indicated by advisories, possibly arbitrary code execution. The impact is limited to the privileges under which tcpdump is running, which is often root but may be reduced in certain deployment configurations [2][3].
Mitigation
The vulnerability is fixed in tcpdump version 4.9.3. Users should upgrade to this version or later. Ubuntu has released updated packages for supported releases (e.g., 4.9.3-0ubuntu0.18.04.1 for Ubuntu 18.04 LTS) [2][3][4]. Apple included the fix in macOS Catalina 10.15.2, Security Update 2019-002 for Mojave, and Security Update 2019-007 for High Sierra, though the Apple advisory does not explicitly list this CVE [1]. No workarounds are provided; upgrading is the recommended course of action.
- About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra - Apple Support
- USN-4252-2: tcpdump vulnerabilities | Ubuntu security notices | Ubuntu
- USN-4252-1: tcpdump vulnerabilities | Ubuntu security notices | Ubuntu
- tcpdump/CHANGES at tcpdump-4.9 · the-tcpdump-group/tcpdump
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- tcpdump/tcpdumpdescription
- osv-coords9 versionspkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 4.9.2-lp150.10.1+ 8 more
- (no CPE)range: < 4.9.2-lp150.10.1
- (no CPE)range: < 4.9.2-lp151.4.6.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1
Patches
2d9a693b04326VERSION set for release
1 file changed · +1 −1
VERSION+1 −1 modified@@ -1 +1 @@ -4.9.3rc2 +4.9.3
d97e94223720(for 4.9.3) CVE-2018-14464/LMP: Add a missing bounds check
4 files changed · +39 −4
print-lmp.c+16 −4 modified@@ -399,6 +399,7 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr, "Unknown", EXTRACT_8BITS(obj_tptr + offset + 3)), EXTRACT_8BITS(obj_tptr + offset + 3))); + ND_TCHECK_32BITS(obj_tptr + offset + 4); bw.i = EXTRACT_32BITS(obj_tptr+offset+4); ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps", bw.f*8/1000000)); @@ -419,6 +420,8 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr, offset+=subobj_len; } return (hexdump); +trunc: + return -1; } void @@ -429,7 +432,7 @@ lmp_print(netdissect_options *ndo, const struct lmp_object_header *lmp_obj_header; const u_char *tptr,*obj_tptr; u_int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen; - int hexdump; + int hexdump, ret; u_int offset; u_int link_type; @@ -731,7 +734,10 @@ lmp_print(netdissect_options *ndo, ipaddr_string(ndo, obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); - if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12)) + ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12); + if (ret == -1) + goto trunc; + if (ret == TRUE) hexdump=TRUE; break; @@ -751,7 +757,10 @@ lmp_print(netdissect_options *ndo, ip6addr_string(ndo, obj_tptr+20), EXTRACT_32BITS(obj_tptr+20))); - if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36)) + ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36); + if (ret == -1) + goto trunc; + if (ret == TRUE) hexdump=TRUE; break; @@ -771,7 +780,10 @@ lmp_print(netdissect_options *ndo, EXTRACT_32BITS(obj_tptr+8), EXTRACT_32BITS(obj_tptr+8))); - if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12)) + ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12); + if (ret == -1) + goto trunc; + if (ret == TRUE) hexdump=TRUE; break;
tests/lmp-lmp_print_data_link_subobjs-oobr.out+22 −0 added@@ -0,0 +1,22 @@ +IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!) + 17.8.8.255.701 > 40.184.42.8.12: + LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212 + Data Link Object (12), Class-Type: Unnumbered (3) Flags: [non-negotiable], length: 20 + Flags: [none] + Local Interface ID: 2435832538 (0x912fdada) + Remote Interface ID: 3657433088 (0xda000000) + Subobject, Type: Interface Switching Type (1), Length: 4 + Switching Type: Unknown (0) + Encoding Type: Unknown (0) + packet exceeded snapshot +IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!) + 17.8.8.255.701 > 40.184.42.8.12: + LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212 + Data Link Object (12), Class-Type: Unnumbered (3) Flags: [non-negotiable], length: 20 + Flags: [none] + Local Interface ID: 2435832538 (0x912fdada) + Remote Interface ID: 3657433088 (0xda000000) + Subobject, Type: Interface Switching Type (1), Length: 4 + Switching Type: Unknown (0) + Encoding Type: Unknown (0) + packet exceeded snapshot
tests/lmp-lmp_print_data_link_subobjs-oobr.pcap+0 −0 addedtests/TESTLIST+1 −0 modified@@ -560,6 +560,7 @@ vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3 vrrp-vrrp_print-oobr-2 vrrp-vrrp_print-oobr-2.pcap vrrp-vrrp_print-oobr-2.out -v bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1 bgp-bgp_capabilities_print-oobr-2 bgp-bgp_capabilities_print-oobr-2.pcap bgp-bgp_capabilities_print-oobr-2.out -v -c1 +lmp-lmp_print_data_link_subobjs-oobr lmp-lmp_print_data_link_subobjs-oobr.pcap lmp-lmp_print_data_link_subobjs-oobr.out -v -c2 # The .pcap file is truncated after the 1st packet. hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1 hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4252-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4252-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4547mitrevendor-advisoryx_refsource_DEBIAN
- seclists.org/fulldisclosure/2019/Dec/26mitremailing-listx_refsource_FULLDISC
- github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGESmitrex_refsource_MISC
- github.com/the-tcpdump-group/tcpdump/commit/d97e94223720684c6aa740ff219e0d19426c2220mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2019/10/msg00015.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Dec/23mitremailing-listx_refsource_BUGTRAQ
- seclists.org/bugtraq/2019/Oct/28mitremailing-listx_refsource_BUGTRAQ
- security.netapp.com/advisory/ntap-20200120-0001/mitrex_refsource_CONFIRM
- support.apple.com/kb/HT210788mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.