CVE-2003-0806
Description
Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in Winlogon on multiple Windows versions allows domain-authenticated attackers to achieve remote code execution.
Vulnerability
A buffer overflow exists in the Windows logon process (winlogon.exe) on Microsoft Windows NT 4.0 Service Pack 6a, Windows 2000 Service Pack 2 through Service Pack 4, and Windows XP Service Pack 1 (including 64-Bit Edition) when the system is a member of a domain [1][2]. The flaw occurs during processing of the domain value supplied as part of a logon request; Winlogon fails to validate the size of this domain string before copying it into a fixed-size buffer [2]. Systems that are not domain members are not affected [2].
Exploitation
An attacker must first have permission to modify user objects in the domain, such as membership in the Administrators or Account Operators groups (or a user account to whom such permission has been delegated) [2]. The attack is initiated from a remote machine by sending a specially crafted logon request with an overly long domain value to a domain controller or member server running the affected software [1][2]. No user interaction on the target is required beyond the normal logon process.
Impact
Successful exploitation allows the attacker to execute arbitrary code with System privileges, leading to complete compromise of the confidentiality, integrity, and availability of the affected system [1][2]. The attacker gains full control over the target machine, which could then be used to pivot further within the domain.
Mitigation
Microsoft released security update MS04-011 (Knowledge Base Article 835732) in April 2004 to address this vulnerability [1]. Affected users should apply the appropriate patch for their Windows version immediately. For Windows NT Server 4.0 Terminal Server Edition Service Pack 6, the Security Rollup Package (SRP) must be installed first [1]. No workaround is provided for unpatched systems; remaining unpatched systems are still at risk. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*
- (no CPE)range: SP2 to SP4
- cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*
- (no CPE)range: SP1
- Range: SP6a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- www.kb.cert.org/vuls/id/471260nvdPatchThird Party AdvisoryUS Government Resource
- www.us-cert.gov/cas/techalerts/TA04-104A.htmlnvdThird Party AdvisoryUS Government Resource
- www.ciac.org/ciac/bulletins/o-114.shtmlnvd
- www.securityfocus.com/bid/10126nvd
- docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/15702nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1054nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A895nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A896nvd
News mentions
0No linked articles in our index yet.