VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-1049

CVE-2004-1049

Description

Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Members only

The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.

Affected products

10
  • Microsoft/Windows 20005 versions
    cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*
  • Microsoft/Windows Server 2003
    cpe:2.3:o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:*
  • Microsoft/Windows Nt
    cpe:2.3:o:microsoft:windows_nt:*:*:*:*:*:*:*:*
  • Microsoft/Windows Xp2 versions
    cpe:2.3:o:microsoft:windows_xp:*:gold:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:microsoft:windows_xp:*:gold:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*
  • Microsoft/Windowsllm-fuzzy

Patches

Members only

Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.

Vulnerability mechanics

Root cause

"Integer overflow in the LoadImage API when processing a large image size field in .bmp, .cur, .ico, or .ani files leads to a buffer overflow."

Attack vector

An attacker crafts a malicious .bmp, .cur, .ico, or .ani file with a large image size field. When a user visits a malicious website or views a crafted email message, the file is processed by the LoadImage API, triggering an integer overflow that leads to a buffer overflow [ref_id=1]. The attacker can then execute arbitrary code with the privileges of the local user. User interaction is required — the attacker must persuade the victim to click a link or open the message [ref_id=1].

Affected code

The vulnerability resides in the LoadImage API of the USER32 library on affected Windows versions. The advisory does not specify exact function names or file paths beyond "LoadImage API of the USER32 Lib" [ref_id=1].

What the fix does

Microsoft released security update MS05-002 to address this vulnerability [ref_id=1]. The update corrects the integer overflow in the LoadImage API by adding proper validation of image size fields before memory allocation, preventing the buffer overflow. The advisory recommends all affected customers apply the update immediately [ref_id=1]. No patch diff is available in the bundle.

Preconditions

  • inputUser must visit a malicious website or view a crafted email message
  • inputAttacker must persuade user to click a link or open the message
  • configSystem must be running an affected Windows version (pre-XP SP2)

Reproduction

A public PoC is referenced at http://www.xfocus.net/flashsky/icoExp/index.html, but the bundle does not include its contents. No reproduction steps are available in the provided reference write-ups.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.