{"id":"CVE-2016-6301","details":"The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.","modified":"2026-04-16T06:15:09.672397362Z","published":"2016-12-09T20:59:01.827Z","related":["SUSE-SU-2022:0135-1","SUSE-SU-2022:0135-2","SUSE-SU-2022:3959-1","SUSE-SU-2022:4253-1","openSUSE-SU-2022:0135-1","openSUSE-SU-2024:11738-1"],"references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2019/Sep/7"},{"type":"WEB","url":"http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2019/Jun/18"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2020/Aug/20"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2020/Mar/15"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Jun/14"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Sep/7"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/08/03/7"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201701-05"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/92277"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1363710"},{"type":"FIX","url":"https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mirror/busybox","events":[{"introduced":"0"},{"fixed":"868530ade244bf8162fb6a10816bd815b166d509"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.25.1"}]}}],"versions":["0_29alpha2","0_32","0_33","0_34","0_36","0_39","0_40","0_41","0_42","0_43","0_43pre1","0_45","0_46","0_47","0_48","0_49","0_50","0_51","0_52","0_60_0","0_60_1","0_60_2","0_60_3","0_60_4","0_60_5","1_00","1_00_pre1","1_00_pre10","1_00_pre2","1_00_pre3","1_00_pre4","1_00_pre5","1_00_pre6","1_00_pre7","1_00_pre8","1_00_pre9","1_00_rc1","1_00_rc2","1_00_rc3","1_10_0","1_12_0","1_14_0","1_15_0","1_16_0","1_17_0","1_18_0","1_19_0","1_1_0","1_1_1","1_20_0","1_21_0","1_22_0","1_23_0","1_24_0","1_25_0","1_2_0","1_4_0","1_8_0","1_9_0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T04:02:27Z","vanir_signatures":[{"signature_type":"Line","id":"CVE-2016-6301-1ebfa31d","signature_version":"v1","deprecated":false,"target":{"file":"networking/ntpd.c"},"digest":{"line_hashes":["289068526711631486020836605200734947009","124924615980559524095270459156890328135","170015737070996268683537732095443939132"],"threshold":0.9},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"},{"signature_version":"v1","id":"CVE-2016-6301-277e49b9","signature_type":"Line","deprecated":false,"target":{"file":"archival/gzip.c"},"digest":{"line_hashes":["229317287604450481069049299070528991141","21661233931440258087698196482444495735","263806573430833419193173641857928059874","99226655706488931224594178590183791043","181462639601257625595331058980038192485","78878251994567324721150295320438510338"],"threshold":0.9},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"},{"signature_type":"Function","id":"CVE-2016-6301-4c6e6389","signature_version":"v1","deprecated":false,"target":{"function":"set_local_var","file":"shell/hush.c"},"digest":{"function_hash":"255958948059279210461737779754669476092","length":1742},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"},{"signature_type":"Function","id":"CVE-2016-6301-6b34b879","signature_version":"v1","deprecated":false,"target":{"function":"recv_and_process_client_pkt","file":"networking/ntpd.c"},"digest":{"function_hash":"233785988665074776198798205660525860186","length":1448},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"},{"signature_type":"Line","id":"CVE-2016-6301-7b68de37","signature_version":"v1","deprecated":false,"target":{"file":"networking/libiproute/iproute.c"},"digest":{"line_hashes":["37228401378646173864773513521618445218","127488670504063214777133554856559058490","188877761282449497821726860155264483036","220365421207052372597911629028763008200","314285513242092124459343260644303257404","121749338318762189937543086151503202170","188399493099125059745665538620936003929","135642085419278251615951900580935593340"],"threshold":0.9},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"},{"signature_type":"Function","id":"CVE-2016-6301-846d8da3","signature_version":"v1","deprecated":false,"target":{"function":"iproute_modify","file":"networking/libiproute/iproute.c"},"digest":{"function_hash":"62814951875242205656915916217782167513","length":4766},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"},{"signature_type":"Function","id":"CVE-2016-6301-a09b602c","signature_version":"v1","deprecated":false,"target":{"function":"generate_stream_from_string","file":"shell/hush.c"},"digest":{"function_hash":"229995983385876066972236638972545611427","length":1004},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"},{"signature_type":"Function","id":"CVE-2016-6301-b5a7bcc7","signature_version":"v1","deprecated":false,"target":{"function":"hush_exit","file":"shell/hush.c"},"digest":{"function_hash":"137808242283566523174528041727868800287","length":707},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"},{"signature_version":"v1","id":"CVE-2016-6301-eebca5ab","signature_type":"Line","deprecated":false,"target":{"file":"shell/hush.c"},"digest":{"line_hashes":["289233686429895551980264682807573568043","260747535327780494658181346412046547959","264830186355382678836425075511233898542","174220642161719521118229258182255911375","25013527889179557617911987271926292808","91021305867050663968634156986380729377","219569144981102792175316080455386250114","222269643061653922047868897101200209525","169281621661144650871170588969120054385","65509087153179865865025920126186624131","189556188107976738739017931977979420946","217739584326025663303328532186420919343","68091601189791101911558271893662409174","74454161503018736097989868662068888594","32530484746973068024373402061590536572","62860121900094946831371480871443373622","303367037278433954051541700344408429469","44924344413252677808372384490086611619","96825640229248022427039888473267462023","110745587021882517161210574003216324038","181060993508474596637463249919735238190","230765979592486211427006021742513457019","67210782048722636372191211461472706263","190286669528182331155881171095310595241","212837097183657197301841064811174537776","72985557861067785338308930469909194101","66294717213006830384175140677215003295","327194039047635931301867834450784697201","246279838072795558349857897811831115019","10366607084128119615436876543537902182","190072517789313751624593298262860766145","1740216008964564192200635576626933326","183851116324247299593222637098576000348","273115760089660716353702855964793292677","215152975492085634757139314797951929384","197345389840557751735526183900263385162","243403124859598323273994113482992668336","218147969022311806829371330258251275946","254560044587524949157322931323454863056","191490826384419778263681247705993077315","173089952959548436945207041999193975332","220902990060873005431305356948395917382","336161610283713467865174111734035306494","148387948124982145440251275169870411467","110725385018463309085295643192806456152","305099197707021775159748414368001887202","315679134085323810030278040572368459521","163490263891338970976759902413125807023","267868390585593816517915983992887850017","167054567449978660961144991688029521400","143075953980836132187091376944892218985","126566415933780870369448296898454821100","174370986137734819050499445115907714021","284833907020741940236491962938479547969","10810298911297481466305567251091839417","326239910257280447326162210942066034748","180176142587415679483175392063094934553","255078364757905843915217866357388186151","97708545207145515051007760962706979564","245839129125429557658932875369724208025","137160183131600224605002391962100022967","291518024252503956035238946488202815770","278018068163247942322645804514823755278","35829463753435283673668969900309464812","42893242414153271056062595071741552789"],"threshold":0.9},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"},{"signature_type":"Function","id":"CVE-2016-6301-f9a01706","signature_version":"v1","deprecated":false,"target":{"function":"hush_main","file":"shell/hush.c"},"digest":{"function_hash":"297005044038354552344053794471827127506","length":6288},"source":"https://github.com/mirror/busybox/commit/868530ade244bf8162fb6a10816bd815b166d509"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6301.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}