VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 3, 2019· Updated Aug 5, 2024

CVE-2018-14880

CVE-2018-14880

Description

A buffer over-read in tcpdump's OSPFv3 parser (print-ospf6.c:ospf6_print_lshdr()) allows remote attackers to crash tcpdump or potentially execute arbitrary code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer over-read in tcpdump's OSPFv3 parser (print-ospf6.c:ospf6_print_lshdr()) allows remote attackers to crash tcpdump or potentially execute arbitrary code.

Vulnerability

The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6_print_lshdr(). This occurs when parsing OSPFv3 Link State Advertisements (LSAs) with crafted payloads, leading to reading beyond the allocated buffer. The vulnerability is present in the OSPFv3 Hello and Database Description packet handling code paths. Affected versions include tcpdump 4.9.2 and earlier.

Exploitation

A remote attacker can send a specially crafted OSPFv3 packet (e.g., a Hello or Database Description message) over IPv6 to a target running tcpdump. No authentication or special network position is required; the attacker only needs the ability to send IPv6 traffic to the target. The packet must contain an LSA header with manipulated length fields that cause ospf6_print_lshdr() to read past the end of the packet buffer. The sequence: attacker crafts an OSPFv3 packet with an LSA header whose advertised length exceeds the actual payload length; tcpdump receives and processes it; the over-read occurs during header parsing, potentially leading to a crash or memory corruption.

Impact

On success, the attacker can cause tcpdump to crash (denial of service) or, in some configurations, possibly execute arbitrary code. The crash results from accessing invalid memory; code execution may be achievable if the over-read corrupts critical data structures. The compromise occurs at the privilege level of the tcpdump process (typically user-level), but if tcpdump runs with elevated permissions (e.g., root), the impact could be more severe.

Mitigation

The vulnerability is fixed in tcpdump version 4.9.3. Users should update to this release or later. For systems that cannot immediately update, workarounds include filtering OSPFv3 traffic (e.g., using firewall rules to block IPv6 packets with next-header OSPF) or running tcpdump with reduced privileges. No official patch for older versions is available beyond the upstream fix. The CVE is listed in Apple's security advisory [1] and Ubuntu notices [2][3]; the fix commit is referenced in [4].

References
  1. About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra - Apple Support
  2. USN-4252-2: tcpdump vulnerabilities | Ubuntu security notices | Ubuntu
  3. USN-4252-1: tcpdump vulnerabilities | Ubuntu security notices | Ubuntu
  4. (for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check · the-tcpdump-group/tcpdump@e01c9bf

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9

Patches

2
d9a693b04326

VERSION set for release

https://github.com/the-tcpdump-group/tcpdumpMichael RichardsonSep 30, 2019via osv
commit
1 file changed · +1 1
  • VERSION+1 1 modified
    @@ -1 +1 @@
-4.9.3rc2
+4.9.3
e01c9bf76740

(for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check

https://github.com/the-tcpdump-group/tcpdumpFrancois-Xavier Le BailNov 4, 2017via osv
commit
4 files changed · +63 2
  • print-ospf6.c+1 2 modified
    @@ -389,8 +389,7 @@ ospf6_print_lshdr(netdissect_options *ndo,
 {
 	if ((const u_char *)(lshp + 1) > dataend)
 		goto trunc;
-	ND_TCHECK(lshp->ls_type);
-	ND_TCHECK(lshp->ls_seq);
+	ND_TCHECK(lshp->ls_length);	/* last field of struct lsa6_hdr */
 
 	ND_PRINT((ndo, "\n\t  Advertising Router %s, seq 0x%08x, age %us, length %u",
                ipaddr_string(ndo, &lshp->ls_router),
  • tests/ospf6_print_lshdr-oobr.out+59 0 added
    @@ -0,0 +1,59 @@
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::2 > ff02::5: OSPFv3, Hello, length 36
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 40) fe80::1 > ff02::5: OSPFv3, Hello, length 40
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router]
+	  Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+	  Designated Router 1.1.1.1
+	  Neighbor List: [|ospf3]
+IP6 (class 0xe0, flowlabel 0x00100, hlim 1, next-header OSPF (89) payload length: 28) fe80::2 > fe80::1: OSPFv3, Database Description, length 28
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [Init, More, Master], MTU 1500, DD-Sequence 0x00001d46
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::1 > fe80::2: OSPFv3, Database Description, length 28
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [Init, More, Master], MTU 1500, DD-Sequence 0x0000242c
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 168) fe80::1 > fe80::2: OSPFv3, Database Description, length 168
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [More], MTU 1500, DD-Sequence 0x00001d46 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 148) fe80::2 > fe80::1: OSPFv3, Database Description, length 148
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [More, Master], MTU 1500, DD-Sequence 0x00001d47 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::1 > fe80::2: OSPFv3, Database Description, length 28
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [none], MTU 1500, DD-Sequence 0x00001d47
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 100) fe80::2 > fe80::1: OSPFv3, LS-Request, length 100
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	  Advertising Router 1.1.1.1
+	    Router LSA (1), Area Local Scope, LSA-ID 0.0.0.0 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 88) fe80::1 > fe80::2: OSPFv3, LS-Request, length 88
+	Router-ID 1.1.1.1, Area 0.0.0.1
+	  Advertising Router 2.2.2.2
+	    Router LSA (1), Area Local Scope, LSA-ID 0.0.0.0 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::2 > fe80::1: OSPFv3, Database Description, length 28
+	Router-ID 2.2.2.2, Area 0.0.0.1
+	Options [V6, External, Router], DD Flags [Master], MTU 1500, DD-Sequence 0x00001d48
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 288) fe80::1 > fe80:0:ff:ffff:f000::2: OSPFv3, LS-Update, length 288
+	Router-ID 1.1.1.1, Area 0.0.0.1 [|ospf3]
  • tests/ospf6_print_lshdr-oobr.pcapng+0 0 added
  • tests/TESTLIST+3 0 modified
    @@ -596,6 +596,9 @@ icmp6_nodeinfo_oobr	icmp6_nodeinfo_oobr.pcap	icmp6_nodeinfo_oobr.out
 rx_ubik-oobr		rx_ubik-oobr.pcap		rx_ubik-oobr.out -c1
 babel_update_oobr	babel_update_oobr.pcap	babel_update_oobr.out	-c 52
 
+# bad packets from Junjie Wang
+ospf6_print_lshdr-oobr	ospf6_print_lshdr-oobr.pcapng	ospf6_print_lshdr-oobr.out	-vv -c15
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

17

News mentions

0

No linked articles in our index yet.