CVE-2018-14881
Description
The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_capabilities_print() (BGP_CAPCODE_RESTART).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_capabilities_print() (BGP_CAPCODE_RESTART).
Vulnerability
A buffer over-read exists in the BGP parser of tcpdump versions prior to 4.9.3 [4]. The flaw is located in the bgp_capabilities_print() function within print-bgp.c when processing the BGP_CAPCODE_RESTART capability. The over-read occurs due to insufficient bounds checking on the input data, allowing read operations beyond the allocated buffer [1][2][3][4].
Exploitation
An attacker can trigger the buffer over-read by crafting a malicious BGP packet and sending it to a target system running a vulnerable version of tcpdump. The attacker does not require authentication or any special network position beyond being able to deliver the packet to the tcpdump process, such as through a network capture session. The vulnerability is exercised when tcpdump parses the BGP capabilities, leading to the over-read [1][2][3][4].
Impact
Successful exploitation can result in a denial of service due to a crash or, potentially, the execution of arbitrary code, depending on how the over-read is leveraged. The attacker may be able to read sensitive memory or cause the application to behave unexpectedly [4].
Mitigation
The vulnerability is fixed in tcpdump version 4.9.3 [4]. Users should upgrade to tcpdump 4.9.3 or later. Debian distributions have released updates (4.9.3-1~deb9u1 for stretch, 4.9.3-1~deb10u1 for buster) [4]. No workaround is available; updating the software is the recommended mitigation.
- About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra - Apple Support
- APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
- APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
- [SECURITY] [DSA 4547-1] tcpdump security update
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10- tcpdump/tcpdumpdescription
- osv-coords9 versionspkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 4.9.2-lp150.10.1+ 8 more
- (no CPE)range: < 4.9.2-lp150.10.1
- (no CPE)range: < 4.9.2-lp151.4.6.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1
Patches
2d9a693b04326VERSION set for release
1 file changed · +1 −1
VERSION+1 −1 modified@@ -1 +1 @@ -4.9.3rc2 +4.9.3
86326e880d31(for 4.9.3) CVE-2018-14881/BGP: Fix BGP_CAPCODE_RESTART.
4 files changed · +30 −0
print-bgp.c+2 −0 modified@@ -2351,6 +2351,8 @@ bgp_capabilities_print(netdissect_options *ndo, opt[i+5])); break; case BGP_CAPCODE_RESTART: + /* Restart Flags (4 bits), Restart Time in seconds (12 bits) */ + ND_TCHECK_16BITS(opt + i + 2); ND_PRINT((ndo, "\n\t\tRestart Flags: [%s], Restart Time %us", ((opt[i+2])&0x80) ? "R" : "none", EXTRACT_16BITS(opt+i+2)&0xfff));
tests/bgp-bgp_capabilities_print-oobr-1.out+27 −0 added@@ -0,0 +1,27 @@ +IP (tos 0x1f,CE, ttl 254, id 38671, offset 0, flags [+, DF, rsvd], proto TCP (6), length 4135, bad cksum 200 (->1fdd)!) + 226.219.0.0.179 > 16.233.34.0.100: Flags [SPUE], seq 347537408:347541483, win 511, urg 65535, options [eol], length 4075: BGP [|BGP] + Open Message (1), length: 59 + Version 255, my AS 65528, Holdtime 4324s, ID 144.8.32.4 + Optional parameters, length: 29 + Option Unknown (0), length: 0 + no decoder for option 0 + Option Capabilities Advertisement (2), length: 8 + Graceful Restart (64), length: 0 + Restart Flags: [none], Restart Time 0s + Unknown (0), length: 0 + no decoder for Capability 0 + 32-Bit AS Number (65), length: 4 + 4 Byte AS 2 + Option Unknown (0), length: 2 + no decoder for option 0 + Option Capabilities Advertisement (2), length: 2 + Unknown (232), length: 3 + no decoder for Capability 232 + 0x0000: 0207 04 + Option Capabilities Advertisement (2), length: 7 + Multiple Routes to a Destination (4), length: 0 + no decoder for Capability 4 + Unknown (8), length: 0 + no decoder for Capability 8 + Route Refresh (Cisco) (128), length: 0 + Graceful Restart (64), length: 0[|BGP]
tests/bgp-bgp_capabilities_print-oobr-1.pcap+0 −0 addedtests/TESTLIST+1 −0 modified@@ -557,6 +557,7 @@ icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3 rsvp-rsvp_obj_print-oobr rsvp-rsvp_obj_print-oobr.pcap rsvp-rsvp_obj_print-oobr.out -v -c3 vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3 +bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1 # The .pcap file is truncated after the 1st packet. hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1 hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4252-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4252-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4547mitrevendor-advisoryx_refsource_DEBIAN
- seclists.org/fulldisclosure/2019/Dec/26mitremailing-listx_refsource_FULLDISC
- github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGESmitrex_refsource_MISC
- github.com/the-tcpdump-group/tcpdump/commit/86326e880d31b328a151d45348c35220baa9a1ffmitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2019/10/msg00015.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Dec/23mitremailing-listx_refsource_BUGTRAQ
- seclists.org/bugtraq/2019/Oct/28mitremailing-listx_refsource_BUGTRAQ
- security.netapp.com/advisory/ntap-20200120-0001/mitrex_refsource_CONFIRM
- support.apple.com/kb/HT210788mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.