VYPR
← All advisories
Unrated severityNVD Advisory· Published May 4, 2004· Updated Apr 16, 2026

CVE-2004-0376

CVE-2004-0376

Description

A remote unauthenticated attacker can crash oftpd FTP server versions 0.3.6 and earlier by sending a PORT command with a value above 255.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote unauthenticated attacker can crash oftpd FTP server versions 0.3.6 and earlier by sending a PORT command with a value above 255.

Vulnerability

oftpd versions 0.3.6 and earlier contain a denial-of-service vulnerability in the handling of the FTP PORT command. When the server receives a PORT command with a numeric value greater than 255, it crashes. The PORT command can be issued before any authentication, meaning no valid username or password is required to trigger the bug. [1][2]

Exploitation

An attacker can exploit this vulnerability by establishing a TCP connection to the FTP server on port 21 and sending the string PORT 300 (or any integer above 255) followed by a carriage return. No further interaction or authentication is needed; the server crashes immediately upon processing the malformed command. [2]

Impact

Successful exploitation results in a denial of service: the oftpd daemon crashes and must be restarted manually. The crash does not lead to data compromise or privilege escalation, but it renders the FTP service unavailable until the administrator restarts the daemon. [1][2]

Mitigation

The vulnerability is fixed in oftpd version 0.3.7. Users should upgrade to >=net-ftp/oftpd-0.3.7 (Gentoo) or the version provided in Debian Security Advisory DSA-473. No workaround is currently known. [1]

References
  1. oftpd DoS vulnerability (GLSA 200403-08) — Gentoo security
  2. oftpd DoS vulnerability

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Oftpd/Oftpd2 versions
    cpe:2.3:a:oftpd:oftpd:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:oftpd:oftpd:*:*:*:*:*:*:*:*range: <=0.3.6
    • (no CPE)range: <=0.3.6

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.