Unrated severityNVD Advisory· Published Oct 3, 2019· Updated Dec 3, 2025

CVE-2018-14882

Description

A buffer over-read in tcpdump's ICMPv6 parser before 4.9.3 allows information disclosure via crafted packets.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer over-read in tcpdump's ICMPv6 parser before 4.9.3 allows information disclosure via crafted packets.

Vulnerability

A buffer over-read exists in the ICMPv6 parser of tcpdump versions prior to 4.9.3. The issue resides in print-icmp6.c where certain ICMPv6 packets (specifically those related to RPL routing) are processed without proper bounds checking, leading to reading beyond the allocated buffer [4].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted ICMPv6 packet to a system running a vulnerable version of tcpdump that is capturing network traffic. No authentication is required; the attacker only needs to send the malicious packet over the network. When tcpdump processes the packet, the over-read occurs [4].

Impact

Successful exploitation results in a buffer over-read, which could lead to the disclosure of sensitive memory contents. This may expose arbitrary information from the process's address space, potentially including security-critical data. The vulnerability does not directly lead to code execution but can leak information [4].

Mitigation

The vulnerability is fixed in tcpdump version 4.9.3, released in October 2019. Users should upgrade to tcpdump 4.9.3 or later. For operating systems that include tcpdump, such as macOS, security updates that incorporate the fix are available from vendors [4].

References

(for 4.9.3) CVE-2018-14882/ICMP6 RPL: Add a missing bounds check · the-tcpdump-group/tcpdump@d750527

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

tcpdump/tcpdumpdescription
Tcpdump/Tcpdumpllm-fuzzy
Range: <4.9.3
osv-coords9 versions
pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweed pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 4.9.2-lp150.10.1+ 8 more
- (no CPE)range: < 4.9.2-lp150.10.1
- (no CPE)range: < 4.9.2-lp151.4.6.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1

Patches

d9a693b04326

VERSION set for release

https://github.com/the-tcpdump-group/tcpdumpMichael RichardsonSep 30, 2019via osv

commit

1 file changed · +1 −1

VERSION+1 −1 modified
```
@@ -1 +1 @@
-4.9.3rc2
+4.9.3
```

d7505276842e

(for 4.9.3) CVE-2018-14882/ICMP6 RPL: Add a missing bounds check

https://github.com/the-tcpdump-group/tcpdumpFrancois-Xavier Le BailNov 3, 2017via osv

commit

8 files changed · +23 −16

print-icmp6.c+17 −12 modified

@@ -41,6 +41,10 @@
 #include "udp.h"
 #include "ah.h"
 
+static const char icmp6_tstr[] = " [|icmp6]";
+static const char rpl_tstr[] = " [|rpl]";
+static const char mldv2_tstr[] = " [|mldv2]";
+
 /*	NetBSD: icmp6.h,v 1.13 2000/08/03 16:30:37 itojun Exp 	*/
 /*	$KAME: icmp6.h,v 1.22 2000/08/03 15:25:16 jinmei Exp $	*/
 
@@ -683,10 +687,11 @@ rpl_dio_printopt(netdissect_options *ndo,
                 }
                 opt = (const struct rpl_dio_genoption *)(((const char *)opt) + optlen);
                 length -= optlen;
+                ND_TCHECK(opt->rpl_dio_len);
         }
         return;
 trunc:
-	ND_PRINT((ndo," [|truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 }
 
@@ -715,7 +720,7 @@ rpl_dio_print(netdissect_options *ndo,
         }
 	return;
 trunc:
-	ND_PRINT((ndo," [|truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 }
 
@@ -756,7 +761,7 @@ rpl_dao_print(netdissect_options *ndo,
 	return;
 
 trunc:
-	ND_PRINT((ndo," [|truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 
 tooshort:
@@ -800,7 +805,7 @@ rpl_daoack_print(netdissect_options *ndo,
 	return;
 
 trunc:
-	ND_PRINT((ndo," [|dao-truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 
 tooshort:
@@ -859,7 +864,7 @@ rpl_print(netdissect_options *ndo,
 
 #if 0
 trunc:
-	ND_PRINT((ndo," [|truncated]"));
+	ND_PRINT((ndo, "%s", rpl_tstr));
 	return;
 #endif
 
@@ -1157,7 +1162,7 @@ icmp6_print(netdissect_options *ndo,
                 ND_PRINT((ndo,", length %u", length));
 	return;
 trunc:
-	ND_PRINT((ndo, "[|icmp6]"));
+	ND_PRINT((ndo, "%s", icmp6_tstr));
 }
 
 static const struct udphdr *
@@ -1381,8 +1386,8 @@ icmp6_opt_print(netdissect_options *ndo, const u_char *bp, int resid)
 	}
 	return;
 
- trunc:
-	ND_PRINT((ndo, "[ndp opt]"));
+trunc:
+	ND_PRINT((ndo, "%s", icmp6_tstr));
 	return;
 #undef ECHECK
 }
@@ -1457,7 +1462,7 @@ mldv2_report_print(netdissect_options *ndo, const u_char *bp, u_int len)
     }
     return;
 trunc:
-    ND_PRINT((ndo,"[|icmp6]"));
+    ND_PRINT((ndo, "%s", mldv2_tstr));
     return;
 }
 
@@ -1523,7 +1528,7 @@ mldv2_query_print(netdissect_options *ndo, const u_char *bp, u_int len)
     ND_PRINT((ndo,"]"));
     return;
 trunc:
-    ND_PRINT((ndo,"[|icmp6]"));
+    ND_PRINT((ndo, "%s", mldv2_tstr));
     return;
 }
 
@@ -1810,7 +1815,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,
 	return;
 
 trunc:
-	ND_PRINT((ndo, "[|icmp6]"));
+	ND_PRINT((ndo, "%s", icmp6_tstr));
 }
 
 static void
@@ -1945,7 +1950,7 @@ icmp6_rrenum_print(netdissect_options *ndo, const u_char *bp, const u_char *ep)
 	return;
 
 trunc:
-	ND_PRINT((ndo,"[|icmp6]"));
+	ND_PRINT((ndo, "%s", icmp6_tstr));
 }
 
 /*

tests/icmp6_mobileprefix_asan.out+1 −1 modified

@@ -1,2 +1,2 @@
-IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393[|icmp6]
+IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393 [|icmp6]
 [|ether]

tests/icmp6_nodeinfo_oobr.out+1 −1 modified

@@ -1 +1 @@
-IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply[|icmp6], length 4
+IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply [|icmp6], length 4

tests/rpl-19-pickdag.out+1 −1 modified

@@ -1 +1 @@
-IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0
+IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 [|rpl]

tests/rpl-19-pickdagvvv.out+1 −1 modified

@@ -1 +1 @@
-IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  0x0000:  0080 2001 0db8 0001 0000 0216 3eff fe11 0x0010:  3424 0000 0000 00 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0
+IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  0x0000:  0080 2001 0db8 0001 0000 0216 3eff fe11 0x0010:  3424 0000 0000 00 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 [|rpl]

tests/rpl-dao-oobr.out+1 −0 added

@@ -0,0 +1 @@
+IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:<elided>,seq:0,instance:42,00] opt:subopt:13 len:2  opt:subopt:128 len:15  opt:subopt:13 len:15  [|rpl]

tests/rpl-dao-oobr.pcapng+0 −0 added

tests/TESTLIST+1 −0 modified

@@ -598,6 +598,7 @@ babel_update_oobr	babel_update_oobr.pcap	babel_update_oobr.out	-c 52
 
 # bad packets from Junjie Wang
 ospf6_print_lshdr-oobr	ospf6_print_lshdr-oobr.pcapng	ospf6_print_lshdr-oobr.out	-vv -c15
+rpl-dao-oobr		rpl-dao-oobr.pcapng		rpl-dao-oobr.out		-vv -c1
 
 # RTP tests
 # fuzzed pcap

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.htmlmitrevendor-advisoryx_refsource_SUSE
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/mitrevendor-advisoryx_refsource_FEDORA
usn.ubuntu.com/4252-1/mitrevendor-advisoryx_refsource_UBUNTU
usn.ubuntu.com/4252-2/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2019/dsa-4547mitrevendor-advisoryx_refsource_DEBIAN
seclists.org/fulldisclosure/2019/Dec/26mitremailing-listx_refsource_FULLDISC
github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGESmitrex_refsource_MISC
github.com/the-tcpdump-group/tcpdump/commit/d7505276842e85bfd067fa21cdb32b8a2dc3c5e4mitrex_refsource_CONFIRM
lists.debian.org/debian-lts-announce/2019/10/msg00015.htmlmitremailing-listx_refsource_MLIST
seclists.org/bugtraq/2019/Dec/23mitremailing-listx_refsource_BUGTRAQ
seclists.org/bugtraq/2019/Oct/28mitremailing-listx_refsource_BUGTRAQ
security.netapp.com/advisory/ntap-20200120-0001/mitrex_refsource_CONFIRM
support.apple.com/kb/HT210788mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000