{"id":"CVE-2016-6301","details":"The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.","modified":"2026-05-30T08:13:47.012980Z","published":"2016-12-09T20:59:01.827Z","related":["SUSE-SU-2022:0135-1","SUSE-SU-2022:0135-2","SUSE-SU-2022:3959-1","SUSE-SU-2022:4253-1","openSUSE-SU-2022:0135-1","openSUSE-SU-2024:11738-1"],"references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html"},{"type":"WEB","url":"http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2019/Jun/18"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2019/Sep/7"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2020/Aug/20"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2020/Mar/15"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Jun/14"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Sep/7"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/08/03/7"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/92277"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201701-05"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1363710"},{"type":"FIX","url":"https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mirror/busybox","events":[{"introduced":"0"},{"fixed":"868530ade244bf8162fb6a10816bd815b166d509"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"fixed":"1.25.1"}],"cpe":"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*"}}],"versions":["1_25_0","1_24_0","1_23_0","1_22_0","1_21_0","1_20_0","1_19_0","1_18_0","1_17_0","1_16_0","1_15_0","1_14_0","1_12_0","1_10_0","1_9_0","1_8_0","1_4_0","1_2_0","1_1_1","1_1_0","1_00","1_00_rc3","1_00_rc2","1_00_rc1","1_00_pre10","1_00_pre9","1_00_pre8","1_00_pre7","1_00_pre6","1_00_pre5","1_00_pre4","1_00_pre3","1_00_pre2","1_00_pre1","0_60_5","0_60_4","0_60_3","0_60_2","0_60_1","0_60_0","0_52","0_51","0_50","0_49","0_48","0_47","0_46","0_45","0_43","0_43pre1","0_42","0_41","0_40","0_39","0_36","0_34","0_33","0_32","0_29alpha2"],"database_specific":{"vanir_signatures":[{"digest":{"line_hashes":["289068526711631486020836605200734947009","124924615980559524095270459156890328135","170015737070996268683537732095443939132"],"threshold":0.9},"target":{"file":"networking/ntpd.c"},"id":"CVE-2016-6301-1ebfa31d","signature_type":"Line","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["229317287604450481069049299070528991141","21661233931440258087698196482444495735","263806573430833419193173641857928059874","99226655706488931224594178590183791043","181462639601257625595331058980038192485","78878251994567324721150295320438510338"],"threshold":0.9},"target":{"file":"archival/gzip.c"},"id":"CVE-2016-6301-277e49b9","signature_type":"Line","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"},{"digest":{"length":1742,"function_hash":"255958948059279210461737779754669476092"},"target":{"file":"shell/hush.c","function":"set_local_var"},"id":"CVE-2016-6301-4c6e6389","signature_type":"Function","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"},{"digest":{"length":1448,"function_hash":"233785988665074776198798205660525860186"},"target":{"file":"networking/ntpd.c","function":"recv_and_process_client_pkt"},"id":"CVE-2016-6301-6b34b879","signature_type":"Function","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["37228401378646173864773513521618445218","127488670504063214777133554856559058490","188877761282449497821726860155264483036","220365421207052372597911629028763008200","314285513242092124459343260644303257404","121749338318762189937543086151503202170","188399493099125059745665538620936003929","135642085419278251615951900580935593340"],"threshold":0.9},"target":{"file":"networking/libiproute/iproute.c"},"id":"CVE-2016-6301-7b68de37","signature_type":"Line","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"},{"digest":{"length":4766,"function_hash":"62814951875242205656915916217782167513"},"target":{"file":"networking/libiproute/iproute.c","function":"iproute_modify"},"id":"CVE-2016-6301-846d8da3","signature_type":"Function","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"},{"digest":{"length":1004,"function_hash":"229995983385876066972236638972545611427"},"target":{"file":"shell/hush.c","function":"generate_stream_from_string"},"id":"CVE-2016-6301-a09b602c","signature_type":"Function","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"},{"digest":{"length":707,"function_hash":"137808242283566523174528041727868800287"},"target":{"file":"shell/hush.c","function":"hush_exit"},"id":"CVE-2016-6301-b5a7bcc7","signature_type":"Function","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["289233686429895551980264682807573568043","260747535327780494658181346412046547959","264830186355382678836425075511233898542","174220642161719521118229258182255911375","25013527889179557617911987271926292808","91021305867050663968634156986380729377","219569144981102792175316080455386250114","222269643061653922047868897101200209525","169281621661144650871170588969120054385","65509087153179865865025920126186624131","189556188107976738739017931977979420946","217739584326025663303328532186420919343","68091601189791101911558271893662409174","74454161503018736097989868662068888594","32530484746973068024373402061590536572","62860121900094946831371480871443373622","303367037278433954051541700344408429469","44924344413252677808372384490086611619","96825640229248022427039888473267462023","110745587021882517161210574003216324038","181060993508474596637463249919735238190","230765979592486211427006021742513457019","67210782048722636372191211461472706263","190286669528182331155881171095310595241","212837097183657197301841064811174537776","72985557861067785338308930469909194101","66294717213006830384175140677215003295","327194039047635931301867834450784697201","246279838072795558349857897811831115019","10366607084128119615436876543537902182","190072517789313751624593298262860766145","1740216008964564192200635576626933326","183851116324247299593222637098576000348","273115760089660716353702855964793292677","215152975492085634757139314797951929384","197345389840557751735526183900263385162","243403124859598323273994113482992668336","218147969022311806829371330258251275946","254560044587524949157322931323454863056","191490826384419778263681247705993077315","173089952959548436945207041999193975332","220902990060873005431305356948395917382","336161610283713467865174111734035306494","148387948124982145440251275169870411467","110725385018463309085295643192806456152","305099197707021775159748414368001887202","315679134085323810030278040572368459521","163490263891338970976759902413125807023","267868390585593816517915983992887850017","167054567449978660961144991688029521400","143075953980836132187091376944892218985","126566415933780870369448296898454821100","174370986137734819050499445115907714021","284833907020741940236491962938479547969","10810298911297481466305567251091839417","326239910257280447326162210942066034748","180176142587415679483175392063094934553","255078364757905843915217866357388186151","97708545207145515051007760962706979564","245839129125429557658932875369724208025","137160183131600224605002391962100022967","291518024252503956035238946488202815770","278018068163247942322645804514823755278","35829463753435283673668969900309464812","42893242414153271056062595071741552789"],"threshold":0.9},"target":{"file":"shell/hush.c"},"id":"CVE-2016-6301-eebca5ab","signature_type":"Line","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"},{"digest":{"length":6288,"function_hash":"297005044038354552344053794471827127506"},"target":{"file":"shell/hush.c","function":"hush_main"},"id":"CVE-2016-6301-f9a01706","signature_type":"Function","source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509","deprecated":false,"signature_version":"v1"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-6301.json","vanir_signatures_modified":"2026-05-30T08:13:47Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}