Login Sign Up

CVE-2024-22654

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2024-22654 is an infinite loop vulnerability in tcpreplay's tcprewrite function that can cause denial of service. Attackers can craft malicious packet capture files that trigger the infinite loop when processed by tcprewrite, potentially causing resource exhaustion. This affects systems running tcpreplay v4.4.4 for network testing or packet manipulation tasks.

💻 Affected Systems

Products:
  • tcpreplay
Versions: v4.4.4
Operating Systems: Linux, Unix-like systems, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when processing malicious pcap files through tcprewrite functionality.

📦 What is this software?

Tcpreplay by Broadcom

View all CVEs affecting Tcpreplay →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system resource exhaustion leading to denial of service, potentially requiring system reboot if tcprewrite consumes all CPU resources.

🟠

Likely Case

tcprewrite process hangs indefinitely consuming CPU cycles, requiring manual termination of the process.

🟢

If Mitigated

Process monitoring detects abnormal resource usage and terminates the hanging process automatically.

🌐 Internet-Facing: LOW - tcpreplay is typically used internally for network testing and analysis, not exposed to internet.
🏢 Internal Only: MEDIUM - Internal users or automated systems processing untrusted pcap files could trigger the vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in GitHub issues. Exploitation requires ability to feed malicious pcap file to tcprewrite.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.4.5

Vendor Advisory: https://github.com/appneta/tcpreplay/issues/827

Restart Required: No

Instructions:

1. Download tcpreplay v4.4.5 from official repository. 2. Uninstall current version. 3. Install v4.4.5 using package manager or from source. 4. Verify installation with 'tcpreplay --version'.

🔧 Temporary Workarounds

Input validation for pcap files

all

Validate pcap files before processing with tcprewrite using external tools

capinfos -c input.pcap
tcpdump -r input.pcap -c 1

Resource limiting

linux

Run tcprewrite with CPU time limits to prevent indefinite resource consumption

timeout 30 tcprewrite [options] input.pcap
ulimit -t 30

🧯 If You Can't Patch

  • Implement strict access controls on who can run tcprewrite and with what files
  • Monitor tcprewrite processes for abnormal CPU usage patterns and implement automated termination

🔍 How to Verify

Check if Vulnerable:

Run 'tcpreplay --version' and check if output contains '4.4.4'

Check Version:

tcpreplay --version

Verify Fix Applied:

Run 'tcpreplay --version' and confirm version is 4.4.5 or higher

📡 Detection & Monitoring

Log Indicators:

  • tcprewrite processes running for abnormally long durations
  • High CPU usage by tcprewrite processes

Network Indicators:

  • N/A - local vulnerability

SIEM Query:

process_name="tcprewrite" AND cpu_usage>90% AND duration>300s

📊 Metadata

CVE ID: CVE-2024-22654
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
EPSS Score: 0.04% exploit probability (13.4th percentile)
Published: May 29, 2025
Last Updated: June 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22654, you might also want to check these:

CVE-2021-42143 9.1

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and pot...

Same vulnerability type (CWE-835)
CVE-2026-25533 8.8

This vulnerability allows attackers to bypass multiple security layers in Enclave, a JavaScript sand...

Same vulnerability type (CWE-835)
CVE-2023-20083 8.6

A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 al...

Same vulnerability type (CWE-835)