CVE-2025-11961
Unknown Unknown - Not Provided
Buffer Overflow in libpcap pcap_ether_aton() Function

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: Tcpdump Group

Description
pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11961
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tcpdump libpcap *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the pcap_ether_aton() function of the libpcap library. The function expects a well-formed MAC-48 address string as input but does not properly validate this input. If given a malformed MAC address string, the function can read beyond the end of the input string and write beyond the end of the allocated buffer. This leads to out-of-bounds read and write issues, which can cause memory corruption or crashes. [1]

Impact Analysis

The vulnerability can lead to memory corruption or application crashes if an attacker or malformed input triggers the out-of-bounds read and write in pcap_ether_aton(). This could potentially be exploited to disrupt the normal operation of software using libpcap, causing denial of service or instability. [1]

Detection Guidance

This vulnerability involves the pcap_ether_aton() function in libpcap being called with malformed MAC address strings, which can cause out-of-bounds memory access. Detection would involve monitoring or auditing applications that use libpcap's public API, especially those that parse MAC addresses from untrusted input. There are no specific commands provided to detect this vulnerability directly on a network or system. However, reviewing application logs for crashes or memory corruption related to libpcap usage might help identify exploitation attempts. [1]

Mitigation Strategies

To mitigate this vulnerability, update libpcap to the fixed version that includes the patch replacing the simple parsing loop with strict input validation for MAC address formats in pcap_ether_aton(). This update prevents out-of-bounds memory access by rejecting malformed inputs. Additionally, ensure that applications using libpcap handle errors properly and avoid passing malformed MAC address strings to the function. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11961. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart