Unrated severityNVD Advisory· Published Dec 31, 2003· Updated Jun 16, 2026

CVE-2003-1118

Description

Buffer overflow in the SETI@home client 3.03 and other versions allows remote attackers to cause a denial of service (client crash) and execute arbitrary code via a spoofed server response containing a long string followed by a \n (newline) character.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

University Of California/Seti At Home5 versions
cpe:2.3:a:university_of_california:seti_at_home:3.3:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:university_of_california:seti_at_home:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:university_of_california:seti_at_home:3.4:*:*:*:*:*:*:*
- cpe:2.3:a:university_of_california:seti_at_home:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:university_of_california:seti_at_home:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:university_of_california:seti_at_home:3.7:*:*:*:*:*:*:*
SETI@home/SETI@home clientllm-create
Range: <=3.03

Patches

Vulnerability mechanics

Root cause

"A buffer overflow vulnerability exists in the SETI@home client due to improper handling of a long string followed by a newline character in a spoofed server response."

Attack vector

A remote attacker can send a specially crafted server response containing a long string and a newline character to the SETI@home client. This response triggers a buffer overflow, leading to a denial of service by crashing the client. The overflow can also be exploited to execute arbitrary code on the victim's machine [ref_id=1].

Affected code

The vulnerability lies within the SETI@home client software, specifically in how it processes responses from a SETI@home server. The exploit code targets the 'Packet retr mode' and various versions of the client, including 3.03, across different operating systems like Linux and FreeBSD [ref_id=1].

What the fix does

The provided materials do not contain information about a specific patch or fix for this vulnerability. The advisory suggests using a DNS spoofing utility in conjunction with the exploit, implying that the vulnerability is related to how the client handles network responses. Remediation guidance would typically involve updating the client software to properly validate and sanitize server responses.

Preconditions

networkThe attacker must be able to intercept or spoof network traffic to send a malicious response to the SETI@home client.
inputThe client must receive a spoofed server response containing a long string followed by a newline character.

Reproduction

The provided exploit code demonstrates how to trigger the buffer overflow by sending a crafted payload to a listening socket, which then simulates a SETI@home server response. The exploit includes shellcode for Linux and FreeBSD, and allows for customization of the target, offset, and port [ref_id=1].

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.kb.cert.org/vuls/id/146785nvdPatchThird Party AdvisoryUS Government Resource
www.securityfocus.com/bid/7292nvdPatch
lists.grok.org.uk/pipermail/full-disclosure/2003-April/004383.htmlnvd
exchange.xforce.ibmcloud.com/vulnerabilities/11731nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.015
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000