NULL pointer dereference in libpcap before 1.10.5 with remote packet capture support
Description
In libpcap with remote capture enabled, pcap_findalldevs_ex() dereferences NULL from opendir() when given an invalid path, causing a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In libpcap with remote capture enabled, pcap_findalldevs_ex() dereferences NULL from opendir() when given an invalid path, causing a denial of service.
Vulnerability
In libpcap versions built with remote packet capture support enabled (e.g., using --enable-remote), the function pcap_findalldevs_ex() does not check the return value of opendir(). When a user-supplied path cannot be opened as a directory, opendir() returns NULL, which is then passed directly to readdir(), leading to a NULL pointer dereference. This issue affects libpcap builds prior to commits [1] and [2].
Exploitation
An attacker with the ability to specify the filesystem path argument to pcap_findalldevs_ex() (e.g., through a crafted remote capture input) can trigger this vulnerability. No authentication is required if the attacker can control the source parameter. The attacker provides a path that does not exist or is not a directory, causing the NULL pointer dereference.
Impact
A successful NULL pointer dereference results in a crash, leading to a denial of service of the application using libpcap. There is no evidence of code execution or privilege escalation from this vulnerability.
Mitigation
The fix is implemented in commits 0f8a103 [1] and 8a633ee [2], which add a NULL check after opendir() and return an error. Users should update libpcap to a version containing these commits (e.g., libpcap >= 1.10.5 or later). If an update is not possible, disable remote packet capture support when building libpcap.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
22- osv-coords20 versionspkg:deb/ubuntu/libpcappkg:rpm/opensuse/libpcap&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/libpcap&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/libpcap&distro=openSUSE%20Leap%20Micro%205.5pkg:rpm/opensuse/libpcap&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/libpcap&distro=SUSE%20Linux%20Micro%206.1
>= 0+ 19 more
- (no CPE)range: >= 0
- (no CPE)range: < 1.10.1-150400.3.3.2
- (no CPE)range: < 1.10.4-150600.3.3.2
- (no CPE)range: < 1.10.1-150400.3.3.2
- (no CPE)range: < 1.10.5-1.1
- (no CPE)range: < 1.9.1-150300.3.3.1
- (no CPE)range: < 1.9.1-150300.3.3.1
- (no CPE)range: < 1.10.1-150400.3.3.2
- (no CPE)range: < 1.10.1-150400.3.3.2
- (no CPE)range: < 1.10.1-150400.3.3.2
- (no CPE)range: < 1.10.1-150400.3.3.2
- (no CPE)range: < 1.10.4-150600.3.3.2
- (no CPE)range: < 1.10.1-150400.3.3.2
- (no CPE)range: < 1.10.4-150600.3.3.2
- (no CPE)range: < 1.8.1-10.6.1
- (no CPE)range: < 1.8.1-10.6.1
- (no CPE)range: < 1.8.1-10.6.1
- (no CPE)range: < 1.8.1-10.6.1
- (no CPE)range: < 1.10.4-3.1
- (no CPE)range: < 1.10.4-slfo.1.1_2.1
- The Tcpdump Group/libpcapv5Range: 1.9.x
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A NULL pointer dereference occurs in pcap_findalldevs_ex when the directory specified by the source argument cannot be opened."
Attack vector
An attacker can trigger this vulnerability by calling the `pcap_findalldevs_ex` function with a path that does not exist or is not a directory. This function is available when libpcap is built with remote packet capture support enabled. The function attempts to open the provided path as a directory. If `opendir()` fails and returns NULL, this NULL value is subsequently passed to `readdir()`, leading to a NULL pointer dereference.
Affected code
The vulnerability exists in the `pcap_findalldevs_ex` function within libpcap. Specifically, the issue arises from the handling of the return value of `opendir()` when attempting to open a directory specified by the `source` argument.
What the fix does
The patch adds a check for the return value of `opendir()`. If `opendir()` returns NULL, indicating that the specified path could not be opened as a directory, the function now returns an error instead of proceeding. This prevents the NULL pointer from being passed to `readdir()`, thus resolving the NULL pointer dereference vulnerability [ref_id=1, ref_id=2].
Preconditions
- configlibpcap must be built with remote packet capture support enabled.
- inputThe `pcap_findalldevs_ex` function must be called with a `source` argument that is a path which cannot be opened as a directory.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.