Unrated severityNVD Advisory· Published Oct 3, 2019· Updated Dec 3, 2025

CVE-2018-14467

Description

A buffer over-read in tcpdump's BGP parser (pre-4.9.3) allows remote attackers to cause denial of service or leak memory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer over-read in tcpdump's BGP parser (pre-4.9.3) allows remote attackers to cause denial of service or leak memory.

Vulnerability

The BGP parser in tcpdump before version 4.9.3 contains a buffer over-read in the function bgp_capabilities_print() within print-bgp.c when handling the BGP_CAPCODE_MP capability. An attacker can craft a malicious BGP packet that triggers reading beyond the allocated buffer boundaries. This issue was fixed in the upstream release 4.9.3 [2][3].

Exploitation

An attacker must be able to send a specially crafted BGP packet to a target system running a vulnerable version of tcpdump. No authentication or special privileges are required; simply having tcpdump capture or process the malicious packet triggers the over-read. The attacker does not need to be on the same network segment if they can inject packets into the traffic flow that the target is monitoring [3].

Impact

A successful exploit can cause tcpdump to crash, leading to a denial of service, or potentially allow arbitrary code execution. According to the Ubuntu security advisory, a remote attacker could cause a crash or possibly execute arbitrary code [2][3]. The over-read may also leak sensitive memory contents in some scenarios.

Mitigation

The vulnerability is fixed in tcpdump version 4.9.3 and later. Ubuntu released updates in USN-4252-1 (for 16.04 LTS, 18.04 LTS, etc.) and USN-4252-2 (for 12.04 ESM, 14.04 ESM) [2][3]. Apple also addressed this CVE in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra [1][4]. Users should update their tcpdump package or operating system to the latest patched version.

References

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

tcpdump/tcpdumpdescription
Tcpdump/Tcpdumpllm-fuzzy
Range: <4.9.3
osv-coords9 versions
pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweed pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 4.9.2-lp150.10.1+ 8 more
- (no CPE)range: < 4.9.2-lp150.10.1
- (no CPE)range: < 4.9.2-lp151.4.6.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1

Patches

d9a693b04326

VERSION set for release

https://github.com/the-tcpdump-group/tcpdumpMichael RichardsonSep 30, 2019via osv

commit

1 file changed · +1 −1

VERSION+1 −1 modified
```
@@ -1 +1 @@
-4.9.3rc2
+4.9.3
```

e3f3b445e2d2

(for 4.9.3) CVE-2018-14467/BGP: Fix BGP_CAPCODE_MP.

https://github.com/the-tcpdump-group/tcpdumpFrancois-Xavier Le BailOct 8, 2017via osv

commit

4 files changed · +29 −0

print-bgp.c+2 −0 modified

@@ -2342,6 +2342,8 @@ bgp_capabilities_print(netdissect_options *ndo,
                 ND_TCHECK2(opt[i+2], cap_len);
                 switch (cap_type) {
                 case BGP_CAPCODE_MP:
+                    /* AFI (16 bits), Reserved (8 bits), SAFI (8 bits) */
+                    ND_TCHECK_8BITS(opt + i + 5);
                     ND_PRINT((ndo, "\n\t\tAFI %s (%u), SAFI %s (%u)",
                            tok2str(af_values, "Unknown",
                                       EXTRACT_16BITS(opt+i+2)),

tests/bgp-bgp_capabilities_print-oobr-2.out+26 −0 added

@@ -0,0 +1,26 @@
+IP (tos 0x1f,CE, ttl 254, id 38671, offset 0, flags [+, DF, rsvd], proto TCP (6), length 4135, bad cksum 200 (->1fdd)!)
+    226.219.0.0.179 > 16.233.34.0.100: Flags [SPUE], seq 347537408:347541483, win 511, urg 65535, options [eol], length 4075: BGP [|BGP]
+	Open Message (1), length: 59
+	  Version 255, my AS 65528, Holdtime 4324s, ID 144.8.32.4
+	  Optional parameters, length: 29
+	    Option Unknown (0), length: 0
+	      no decoder for option 0
+	    Option Capabilities Advertisement (2), length: 8
+	      Graceful Restart (64), length: 0
+		Restart Flags: [none], Restart Time 0s
+	      Unknown (0), length: 0
+		no decoder for Capability 0
+	      32-Bit AS Number (65), length: 4
+		 4 Byte AS 2
+	    Option Unknown (0), length: 2
+	      no decoder for option 0
+	    Option Capabilities Advertisement (2), length: 2
+	      Unknown (232), length: 3
+		no decoder for Capability 232
+		0x0000:  0207 04
+	    Option Capabilities Advertisement (2), length: 7
+	      Multiple Routes to a Destination (4), length: 0
+		no decoder for Capability 4
+	      Unknown (8), length: 0
+		no decoder for Capability 8
+	      Multiprotocol Extensions (1), length: 0[|BGP]

tests/bgp-bgp_capabilities_print-oobr-2.pcap+0 −0 added

tests/TESTLIST+1 −0 modified

@@ -558,6 +558,7 @@ icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v
 rsvp-rsvp_obj_print-oobr rsvp-rsvp_obj_print-oobr.pcap rsvp-rsvp_obj_print-oobr.out -v -c3
 vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
 bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1
+bgp-bgp_capabilities_print-oobr-2 bgp-bgp_capabilities_print-oobr-2.pcap bgp-bgp_capabilities_print-oobr-2.out -v -c1
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr	hncp_dhcpv6data-oobr.pcap	hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr	hncp_dhcpv4data-oobr.pcap	hncp_dhcpv4data-oobr.out -v -c1

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.htmlmitrevendor-advisoryx_refsource_SUSE
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/mitrevendor-advisoryx_refsource_FEDORA
usn.ubuntu.com/4252-1/mitrevendor-advisoryx_refsource_UBUNTU
usn.ubuntu.com/4252-2/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2019/dsa-4547mitrevendor-advisoryx_refsource_DEBIAN
seclists.org/fulldisclosure/2019/Dec/26mitremailing-listx_refsource_FULLDISC
github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGESmitrex_refsource_MISC
github.com/the-tcpdump-group/tcpdump/commit/e3f3b445e2d20ac5d5b7fcb7559ce6beb55da0c9mitrex_refsource_CONFIRM
lists.debian.org/debian-lts-announce/2019/10/msg00015.htmlmitremailing-listx_refsource_MLIST
seclists.org/bugtraq/2019/Dec/23mitremailing-listx_refsource_BUGTRAQ
seclists.org/bugtraq/2019/Oct/28mitremailing-listx_refsource_BUGTRAQ
security.netapp.com/advisory/ntap-20200120-0001/mitrex_refsource_CONFIRM
support.apple.com/kb/HT210788mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000