CVE-2018-16228
Description
A buffer over-read vulnerability in tcpdump's HNCP parser (print_prefix()) can be triggered by a malformed packet, leading to information disclosure before fix in 4.9.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer over-read vulnerability in tcpdump's HNCP parser (print_prefix()) can be triggered by a malformed packet, leading to information disclosure before fix in 4.9.3.
Vulnerability
The HNCP parser in tcpdump versions before 4.9.3 contains a buffer over-read in the print_prefix() function, located in print-hncp.c [4]. The flaw occurs when decoding a malformed HNCP prefix option. Specifically, in print_prefix(), the return value of decode_prefix6() was not checked for errors; if it returned a negative value, the subsequent ND_PRINT() call would read from an uninitialized or out-of-bounds buffer [4]. The commit fixing the issue adds a check for plenbytes < 0 and returns early [4]. Affected are all tcpdump versions prior to 4.9.3.
Exploitation
An attacker needs only the ability to send a specially crafted HNCP packet over the network to a target running tcpdump that is capturing or reading the packet. No authentication is required, as tcpdump can process raw network traffic. The crafted HNCP option triggers a negative return from decode_prefix6(), causing print_prefix() to proceed with a plenbytes value of -1, leading to a buffer over-read in the subsequent ND_PRINT() call [4]. Proof-of-concept pcap files were introduced as test cases in the fix [4].
Impact
Successful exploitation results in a buffer over-read, which may leak sensitive memory contents when tcpdump prints the malformed prefix. The impact is primarily information disclosure; the over-read could leak stack or heap data from the tcpdump process's memory, potentially exposing credentials, network secrets, or other sensitive information processed by the host.
Mitigation
The vulnerability is fixed in tcpdump version 4.9.3, released on August 3, 2018 [4]. Users should upgrade to 4.9.3 or later. For users unable to upgrade, the fix commit 83a412a5275cac973c5841eca3511c766bed778d can be manually applied [4]. No workaround is available other than patching. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
References [1], [2], and [3] mention Apple security updates that addressed other vulnerabilities but do not provide specific mitigation details for CVE-2018-16228.
- About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra - Apple Support
- APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
- APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
- (for 4.9.3) CVE-2018-16228/HNCP: make buffer access safer · the-tcpdump-group/tcpdump@83a412a
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- tcpdump/tcpdumpdescription
- osv-coords7 versionspkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 4.9.2-lp150.10.1+ 6 more
- (no CPE)range: < 4.9.2-lp150.10.1
- (no CPE)range: < 4.9.2-lp151.4.6.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing return-value check in print_prefix() allows a negative length from decode_prefix6() to cause a buffer over-read."
Attack vector
An attacker crafts a malicious HNCP (Home Networking Control Protocol) packet containing an invalid IPv6 prefix that causes `decode_prefix6()` to return a negative value. When tcpdump processes this packet with the `-vvv` flag, the unchecked negative return value in `print_prefix()` leads to a buffer over-read. The attacker can deliver the packet over the local network via UDP, and no authentication is required.
Affected code
The vulnerable code is in `print-hncp.c` in the `print_prefix()` function. The function calls `decode_prefix6()` but did not check its return value before using the result; a negative return value (indicating a malformed prefix) would cause a buffer over-read when the output is later printed via `ND_PRINT`.
What the fix does
The patch adds a check for a negative return value from `decode_prefix6()` in `print_prefix()`. If `plenbytes
Preconditions
- networkThe attacker must be able to send a crafted HNCP packet over UDP to the target machine.
- configtcpdump must be invoked with the `-vvv` flag (or a verbosity level that triggers HNCP parsing) and capture the malicious packet.
- authNo authentication or special privileges are required to send the packet.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4252-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4252-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4547mitrevendor-advisoryx_refsource_DEBIAN
- seclists.org/fulldisclosure/2019/Dec/26mitremailing-listx_refsource_FULLDISC
- github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGESmitrex_refsource_MISC
- github.com/the-tcpdump-group/tcpdump/commit/83a412a5275cac973c5841eca3511c766bed778dmitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2019/10/msg00015.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Dec/23mitremailing-listx_refsource_BUGTRAQ
- seclists.org/bugtraq/2019/Oct/28mitremailing-listx_refsource_BUGTRAQ
- security.netapp.com/advisory/ntap-20200120-0001/mitrex_refsource_CONFIRM
- support.apple.com/kb/HT210788mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.