CVE-2025-11961
Buffer Overflow in libpcap pcap_ether_aton() Function
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: Tcpdump Group
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tcpdump | libpcap | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-126 | The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the pcap_ether_aton() function of the libpcap library. The function expects a well-formed MAC-48 address string as input but does not properly validate this input. If given a malformed MAC address string, the function can read beyond the end of the input string and write beyond the end of the allocated buffer. This leads to out-of-bounds read and write issues, which can cause memory corruption or crashes. [1]
How can this vulnerability impact me? :
The vulnerability can lead to memory corruption or application crashes if an attacker or malformed input triggers the out-of-bounds read and write in pcap_ether_aton(). This could potentially be exploited to disrupt the normal operation of software using libpcap, causing denial of service or instability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the pcap_ether_aton() function in libpcap being called with malformed MAC address strings, which can cause out-of-bounds memory access. Detection would involve monitoring or auditing applications that use libpcap's public API, especially those that parse MAC addresses from untrusted input. There are no specific commands provided to detect this vulnerability directly on a network or system. However, reviewing application logs for crashes or memory corruption related to libpcap usage might help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update libpcap to the fixed version that includes the patch replacing the simple parsing loop with strict input validation for MAC address formats in pcap_ether_aton(). This update prevents out-of-bounds memory access by rejecting malformed inputs. Additionally, ensure that applications using libpcap handle errors properly and avoid passing malformed MAC address strings to the function. [1]