NTP BUG 2948: Potential Infinite Loop in ntpq

Last update: April 22, 2024 18:49 UTC (7e7bd5857)


Resolved 4.2.8p6 19 Jan 2016
References Bug 2948 CVE-2015-8158
Affects All ntp-4 releases up to, but not including 4.2.8p6,
and 4.3.0 up to, but not including 4.3.90.
Resolved in 4.2.8p6
CVSS2 Score MED 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3 Score MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N


ntpq processes incoming packets in a loop in getresponse(). The loop’s only stopping conditions are receiving a complete and correct response or hitting a small number of error conditions. If the packet contains incorrect values that don’t trigger one of the error conditions, the loop continues to receive new packets.

Note well, this is an attack against an instance of ntpq, not ntpd, and this attack requires the attacker to do one of the following:



This weakness was discovered by Jonathan Gardner of Cisco ASIG.