VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 3, 2019· Updated Dec 3, 2025

CVE-2019-15165

CVE-2019-15165

Description

A heap buffer overflow in libpcap before 1.9.1 via invalid PHB header length in pcapng files allows denial of service or potential code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer overflow in libpcap before 1.9.1 via invalid PHB header length in pcapng files allows denial of service or potential code execution.

Vulnerability

In sf-pcapng.c of libpcap versions before 1.9.1, the length field of a Packet Header Block (PHB) in a pcapng file is not properly validated before being used to allocate memory. This allows a crafted pcapng file with an overly large or manipulated PHB header length to trigger a heap buffer overflow when the file is read or processed.

Exploitation

An attacker can provide a specially crafted pcapng file to the target. No authentication is required if the attacker can deliver the file via any vector (e.g., email attachment, network share, direct capture). The vulnerability is triggered when libpcap attempts to parse the malformed PHB, causing a heap buffer overflow due to the unchecked length value.

Impact

Successful exploitation leads to a heap buffer overflow. This can crash the application using libpcap (denial of service) and, depending on the memory layout, may allow an attacker to execute arbitrary code in the context of the affected process. The scope of compromise is constrained to the privileges of the application processing the pcapng file.

Mitigation

The vulnerability is fixed in libpcap version 1.9.1. Upstream users should upgrade to this version or later. Apple operating system updates mentioned in the references do not explicitly address this CVE, so no workaround is confirmed for those platforms; users relying on system-provided libpcap should verify with their vendor.

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

49

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing upper-bound validation on the Section Header Block total length field before memory allocation in sf-pcapng.c."

Attack vector

An attacker crafts a malicious pcapng file containing a Section Header Block whose total length field is set to an excessively large value (e.g., greater than 1 MB). When libpcap's `pcap_ng_check_header()` processes this file, the missing upper-bound validation causes the library to attempt memory allocation based on the attacker-controlled oversized length, potentially leading to denial of service via memory exhaustion or heap corruption [ref_id=1]. The attack requires only that the victim opens the crafted pcapng file with an affected version of libpcap.

Affected code

The vulnerability resides in `sf-pcapng.c` within the `pcap_ng_check_header()` function. The code path that validates the Section Header Block (SHB) total length before memory allocation is at fault [ref_id=1]. Specifically, the original check only verified that `total_length` was not too small, but lacked an upper-bound sanity limit, allowing an arbitrarily large value to pass through.

What the fix does

The patch introduces a new constant `BT_SHB_INSANE_MAX` (defined as 1 MB) and adds an upper-bound check: if `total_length > BT_SHB_INSANE_MAX`, the function returns an error instead of proceeding with allocation [ref_id=1]. A follow-up commit corrects format-string warnings by using unsigned integer literals (`1024U*1024U*1U`) and the `%u` format specifier [ref_id=2]. Together these changes ensure that any SHB total length exceeding 1 MB is rejected before any memory is allocated, closing the resource-exhaustion vector.

Preconditions

  • inputThe victim must open a crafted pcapng file using an affected version of libpcap (before 1.9.1).
  • inputThe attacker must be able to supply a pcapng file with a Section Header Block total length field set to an arbitrarily large value.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

20

News mentions

0

No linked articles in our index yet.