VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 21, 1997· Updated Apr 16, 2026

CVE-1999-0122

CVE-1999-0122

Description

A buffer overflow vulnerability in AIX's lchangelv utility allows attackers with specific group privileges to gain root access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer overflow vulnerability in AIX's lchangelv utility allows attackers with specific group privileges to gain root access.

Vulnerability

A buffer overflow exists in the lchangelv utility on certain versions of IBM AIX. This vulnerability is reachable when the lchangelv command is executed. The exact affected versions are not specified in the provided references, but the exploit code targets AIX 4.2 [1].

Exploitation

An attacker must possess the Group ID (GID) or Effective Group ID (EGID) of the 'system' group to execute the lchangelv command. The attacker can then trigger the buffer overflow by providing overly long input to the utility, leading to the execution of arbitrary code [1].

Impact

Successful exploitation of this vulnerability grants the attacker root privileges on the affected system. This is because lchangelv is a SUID root executable, meaning it runs with the privileges of the root user [1].

Mitigation

No specific patched version or release date is mentioned in the available references. Users are advised to consult IBM's security advisories for the latest information on mitigation or workarounds. It is not indicated if this vulnerability is listed on the KEV catalog or if the product is End-of-Life [1].

References
  1. IBM AIX 4.2 - '/usr/sbin/lchangelv' Local Buffer Overflow

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • IBM/Aix8 versions
    cpe:2.3:o:ibm:aix:4.1:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:o:ibm:aix:4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:ibm:aix:4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:ibm:aix:4.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:ibm:aix:4.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:ibm:aix:4.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:ibm:aix:4.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:ibm:aix:4.2:*:*:*:*:*:*:*
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.