Unrated severityNVD Advisory· Published Oct 3, 2019· Updated Dec 3, 2025

CVE-2018-16300

Description

A stack consumption vulnerability in tcpdump's BGP parser before 4.9.3 allows denial of service via crafted BGP packets.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stack consumption vulnerability in tcpdump's BGP parser before 4.9.3 allows denial of service via crafted BGP packets.

Vulnerability

The BGP parser in tcpdump before version 4.9.3 contains a vulnerability in print-bgp.c within the bgp_attr_print() function. This flaw allows unlimited recursion, leading to stack consumption when processing specially crafted BGP packets.

Exploitation

An unauthenticated attacker with network access can send a malicious BGP packet to a system running a vulnerable tcpdump version. The packet triggers infinite recursion in the parser, causing the stack to grow uncontrollably.

Impact

Successful exploitation results in a denial of service (DoS) condition, as the stack exhaustion causes tcpdump to crash. No code execution is indicated.

Mitigation

Upgrade to tcpdump version 4.9.3 or later. For Debian systems, fixed versions are 4.9.3-1~deb9u1 (stretch) and 4.9.3-1~deb10u1 (buster) [4]. No workarounds are documented.

References

[SECURITY] [DSA 4547-1] tcpdump security update

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

tcpdump/tcpdumpdescription
Tcpdump/Tcpdumpllm-fuzzy
Range: <4.9.3
osv-coords9 versions
pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweed pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 4.9.2-lp150.10.1+ 8 more
- (no CPE)range: < 4.9.2-lp150.10.1
- (no CPE)range: < 4.9.2-lp151.4.6.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 4.9.2-3.9.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 3.9.8-1.30.13.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Unbounded recursion in bgp_attr_print() when processing nested ATTR_SET attributes allows stack exhaustion."

Attack vector

An attacker crafts a BGP UPDATE message containing deeply nested ATTR_SET attributes. When tcpdump parses this message, `bgp_attr_print()` recurses into each nested ATTR_SET without bound, consuming the call stack until exhaustion and causing a crash [ref_id=1]. The attacker only needs to send a single malicious BGP packet to trigger the vulnerability.

Affected code

The vulnerability is in `print-bgp.c` in the function `bgp_attr_print()`. The function recursively processes ATTR_SET attributes without any depth limit, leading to stack exhaustion [ref_id=1].

What the fix does

The patch adds an `attr_set_level` parameter to `bgp_attr_print()` that tracks the current nesting depth of ATTR_SET attributes [ref_id=1]. When the depth reaches 10, the function prints a warning and stops recursing instead of continuing indefinitely [ref_id=1]. The initial call site in `bgp_update_print()` passes 0 as the starting level [ref_id=1]. This prevents stack exhaustion by enforcing a hard limit on recursion depth.

Preconditions

networkAttacker must be able to send a crafted BGP UPDATE packet to a target that uses tcpdump to capture or analyze BGP traffic
configTarget must be running tcpdump version prior to 4.9.3

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.htmlmitrevendor-advisoryx_refsource_SUSE
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/mitrevendor-advisoryx_refsource_FEDORA
usn.ubuntu.com/4252-1/mitrevendor-advisoryx_refsource_UBUNTU
usn.ubuntu.com/4252-2/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2019/dsa-4547mitrevendor-advisoryx_refsource_DEBIAN
seclists.org/fulldisclosure/2019/Dec/26mitremailing-listx_refsource_FULLDISC
github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGESmitrex_refsource_MISC
github.com/the-tcpdump-group/tcpdump/commit/af2cf04a9394c1a56227c2289ae8da262828294amitrex_refsource_CONFIRM
lists.debian.org/debian-lts-announce/2019/10/msg00015.htmlmitremailing-listx_refsource_MLIST
seclists.org/bugtraq/2019/Dec/23mitremailing-listx_refsource_BUGTRAQ
seclists.org/bugtraq/2019/Oct/28mitremailing-listx_refsource_BUGTRAQ
security.netapp.com/advisory/ntap-20200120-0001/mitrex_refsource_CONFIRM
support.apple.com/kb/HT210788mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000