CVE-1999-0764 in NetBSD
Summary
by MITRE
NetBSD allows ARP packets to overwrite static ARP entries.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/19/2026
The vulnerability described in CVE-1999-0764 represents a significant flaw in the NetBSD operating system's implementation of the Address Resolution Protocol. This issue stems from the kernel's insufficient validation mechanisms when processing incoming ARP packets, allowing malicious or malformed packets to potentially overwrite existing static ARP entries that administrators have explicitly configured for security purposes. The vulnerability specifically affects the network stack's handling of Address Resolution Protocol messages, which are fundamental to IP network communication and the mapping of network addresses to physical MAC addresses.
The technical flaw manifests when the NetBSD kernel processes ARP packets without proper verification of the packet source or content integrity. Static ARP entries are typically configured by system administrators to maintain fixed mappings between IP addresses and MAC addresses for critical network components, such as routers, servers, or other network infrastructure. When an attacker can craft and inject ARP packets that match the IP address of a static entry, the kernel's insufficient validation logic allows these packets to overwrite the static mapping with potentially malicious or incorrect MAC address information. This behavior violates the expected security model where static entries should remain immutable and serve as trusted network mappings.
The operational impact of this vulnerability extends beyond simple network disruption to potentially enable sophisticated attacks such as man-in-the-middle scenarios, network traffic interception, or unauthorized access to network resources. An attacker who can successfully overwrite static ARP entries can redirect network traffic through malicious hosts, effectively compromising network security and potentially allowing for data exfiltration or system compromise. The vulnerability is particularly concerning because it undermines the security assumptions that administrators rely upon when configuring static ARP entries for critical network components, making it easier for attackers to establish persistent network positions within the infrastructure.
This vulnerability aligns with CWE-225, which addresses the weakness of insufficient input validation, and relates to broader network security concerns documented in the ATT&CK framework under the Network Sniffing and Protocol Analysis techniques. The flaw demonstrates the importance of proper input validation and the principle of least privilege in network protocol implementations, where the kernel should not allow external packets to modify critical system configurations without proper authentication and validation. Organizations should implement immediate mitigations including network segmentation, ARP monitoring, and the use of static ARP entries combined with proper network access controls to prevent unauthorized ARP packet injection. Additionally, regular network audits should verify the integrity of ARP tables and implement monitoring systems to detect anomalous ARP activity that could indicate exploitation attempts.