ppp decapsulator can be convinced to allocate a large amount of memory
Description
A heap buffer overallocation in tcpdump 4.9.3's PPP decapsulator allows denial of service via memory exhaustion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overallocation in tcpdump 4.9.3's PPP decapsulator allows denial of service via memory exhaustion.
Vulnerability
The PPP decapsulator in tcpdump 4.9.3 contains a flaw where the function ppp_hdlc() allocates a buffer using the on-the-wire length (length) rather than the actual captured length (caplen). This can cause a very large allocation if a crafted packet advertises a large length value, potentially exhausting memory. The issue is fixed in commit 32027e199368dad9508965aae8cd8de5b6ab5231 on GitHub [4].
Exploitation
An attacker with the ability to inject or capture network traffic can send a specially crafted PPP packet with a large length field but truncated actual content. When tcpdump processes this packet, the ppp_hdlc() function allocates memory based on the inflated length, leading to a large allocation. No authentication or special privileges are required; the attacker only needs to send the malicious packet to a network segment monitored by a vulnerable tcpdump instance.
Impact
Successful exploitation results in denial of service due to memory exhaustion. The large allocation can cause tcpdump to crash or become unresponsive, potentially affecting network monitoring and troubleshooting. The vulnerability is limited to the specific memory allocation logic and does not allow for code execution or information disclosure.
Mitigation
Users should upgrade to a patched version of tcpdump containing commit 32027e199368dad9508965aae8cd8de5b6ab5231 [4]. Workarounds include disabling PPP capture or using packet filters to avoid processing untrusted PPP traffic. No other known mitigations are available.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10- osv-coords8 versionspkg:rpm/almalinux/tcpdumppkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/tcpdump&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 14:4.9.3-2.el8+ 7 more
- (no CPE)range: < 14:4.9.3-2.el8
- (no CPE)range: < 4.9.2-lp151.4.9.1
- (no CPE)range: < 4.9.2-lp152.7.3.1
- (no CPE)range: < 4.99.1-1.2
- (no CPE)range: < 4.9.2-3.12.1
- (no CPE)range: < 4.9.2-3.12.1
- (no CPE)range: < 4.9.2-14.17.1
- (no CPE)range: < 4.9.2-14.17.1
- The TCPdump Group/tcpdumpv5Range: 4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The ppp decapsulator incorrectly calculates the buffer size for un-escaping PPP packets."
Attack vector
An attacker can send a specially crafted PPP packet to the tcpdump utility. This packet, when processed by the ppp decapsulator, will cause an overly large buffer to be allocated. The vulnerability is triggered during the un-escaping process of RFC 1662 PPP in HDLC-like framing [ref_id=1].
Affected code
The vulnerability resides in the `ppp_hdlc` function within the ppp decapsulator. Specifically, the memory allocation for the un-escaped buffer was previously based on the `length` parameter, which could be larger than the actual captured data, leading to an oversized allocation [ref_id=1].
What the fix does
The patch modifies the `ppp_hdlc` function to allocate memory based on the captured length (`caplen`) rather than the on-the-wire length (`length`). This prevents the allocation of a potentially too-large buffer when un-escaping PPP packets, mitigating the risk of excessive memory consumption [ref_id=1].
Preconditions
- inputThe target must receive a specially crafted PPP packet that triggers the incorrect buffer size calculation during the un-escaping process.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2MX34MJIUJQGL6CMEPLTKFOOOC3CJ4Z/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWDBONZVLC6BAOR2KM376DJCM4H3FERV/mitrevendor-advisoryx_refsource_FEDORA
- seclists.org/fulldisclosure/2021/Apr/51mitremailing-listx_refsource_FULLDISC
- github.com/the-tcpdump-group/tcpdump/commit/32027e199368dad9508965aae8cd8de5b6ab5231mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/11/msg00018.htmlmitremailing-listx_refsource_MLIST
- support.apple.com/kb/HT212325mitrex_refsource_CONFIRM
- support.apple.com/kb/HT212326mitrex_refsource_CONFIRM
- support.apple.com/kb/HT212327mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.