CVE-2018-14466
Description
Buffer over-read in tcpdump's Rx parser before 4.9.3 may lead to denial of service or code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer over-read in tcpdump's Rx parser before 4.9.3 may lead to denial of service or code execution.
Vulnerability
The Rx parser in tcpdump before version 4.9.3 contains a buffer over-read vulnerability in the functions rx_cache_find() and rx_cache_insert() in print-rx.c. This can be triggered when processing crafted network packets [4].
Exploitation
An attacker can send a specially crafted packet to a target system running a vulnerable tcpdump version. No authentication is required; the attacker only needs network access to trigger the vulnerability when tcpdump captures or processes the malicious packet. The over-read occurs in the Rx cache handling code.
Impact
Successful exploitation may lead to a denial of service (crash) or potentially arbitrary code execution, depending on the environment. The attacker may cause tcpdump to read beyond the bounds of allocated memory.
Mitigation
The vulnerability is fixed in tcpdump version 4.9.3 [4]. Ubuntu has released updated packages for 12.04 ESM, 14.04 ESM, 18.04 LTS, and others [2][3]. Users should upgrade to the latest version.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- tcpdump/tcpdumpdescription
- osv-coords9 versionspkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 4.9.2-lp150.10.1+ 8 more
- (no CPE)range: < 4.9.2-lp150.10.1
- (no CPE)range: < 4.9.2-lp151.4.6.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1
Patches
2d9a693b04326VERSION set for release
1 file changed · +1 −1
VERSION+1 −1 modified@@ -1 +1 @@ -4.9.3rc2 +4.9.3
c24922e692a5(for 4.9.3) CVE-2018-14466/Rx: fix an over-read bug
4 files changed · +6 −2
print-rx.c+2 −2 modified@@ -694,7 +694,7 @@ rx_cache_insert(netdissect_options *ndo, UNALIGNED_MEMCPY(&rxent->client, &ip->ip_src, sizeof(uint32_t)); UNALIGNED_MEMCPY(&rxent->server, &ip->ip_dst, sizeof(uint32_t)); rxent->dport = dport; - rxent->serviceId = EXTRACT_32BITS(&rxh->serviceId); + rxent->serviceId = EXTRACT_16BITS(&rxh->serviceId); rxent->opcode = EXTRACT_32BITS(bp + sizeof(struct rx_header)); } @@ -725,7 +725,7 @@ rx_cache_find(const struct rx_header *rxh, const struct ip *ip, int sport, if (rxent->callnum == EXTRACT_32BITS(&rxh->callNumber) && rxent->client.s_addr == clip && rxent->server.s_addr == sip && - rxent->serviceId == EXTRACT_32BITS(&rxh->serviceId) && + rxent->serviceId == EXTRACT_16BITS(&rxh->serviceId) && rxent->dport == sport) { /* We got a match! */
tests/rx_serviceid_oobr.out+3 −0 added@@ -0,0 +1,3 @@ +IP 250.15.128.19.68 > 249.251.157.8.63246: BOOTP/DHCP, unknown (0x00), length 8085 +[|ether] +IP 0.0.0.0.0 > 0.0.0.0.7004: rx abort (539)
tests/rx_serviceid_oobr.pcap+0 −0 addedtests/TESTLIST+1 −0 modified@@ -573,6 +573,7 @@ ikev1_id_ipv6_addr_subnet-oobr ikev1_id_ipv6_addr_subnet-oobr.pcap ikev1_id_ipv6 isakmp-various-oobr isakmp-various-oobr.pcap isakmp-various-oobr.out -v aoe-oobr-1 aoe-oobr-1.pcap aoe-oobr-1.out -v -c1 frf16_magic_ie-oobr frf16_magic_ie-oobr.pcap frf16_magic_ie-oobr.out -v -c1 +rx_serviceid_oobr rx_serviceid_oobr.pcap rx_serviceid_oobr.out -c3 # bad packets from Katie Holly mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4252-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4252-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4547mitrevendor-advisoryx_refsource_DEBIAN
- seclists.org/fulldisclosure/2019/Dec/26mitremailing-listx_refsource_FULLDISC
- github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGESmitrex_refsource_MISC
- github.com/the-tcpdump-group/tcpdump/commit/c24922e692a52121e853a84ead6b9337f4c08a94mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2019/10/msg00015.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Dec/23mitremailing-listx_refsource_BUGTRAQ
- seclists.org/bugtraq/2019/Oct/28mitremailing-listx_refsource_BUGTRAQ
- security.netapp.com/advisory/ntap-20200120-0001/mitrex_refsource_CONFIRM
- support.apple.com/kb/HT210788mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.