VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-1306

CVE-2004-1306

Description

Heap-based buffer overflow in winhlp32.exe allows remote code execution via a crafted .hlp file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-based buffer overflow in winhlp32.exe allows remote code execution via a crafted .hlp file.

Vulnerability

A heap-based buffer overflow exists in winhlp32.exe during the parsing of Windows Help (.hlp) files. The vulnerable code path is triggered when the help file uses phrase compression, which includes an internal file named phrases. The phrases table header contains fields such as wNumberOfPhrases, wOneHundred, and decompressedsize, and is followed by the phrase data. The function at address 0x0100A1EF calculates the length of phrase data without sufficient checks, allowing a specially crafted .hlp file to cause the heap memory to be overwritten. Affected versions include Windows NT, Windows 2000 SP0–SP4, Windows XP SP0–SP2, and Windows 2003 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious .hlp file with malformed phrase compression data. The attacker does not need authentication or user interaction beyond convincing the victim to open the .hlp file. The file can be delivered via email, a website, or other means. The overflow occurs when winhlp32.exe processes the phrases table and copies data into a heap buffer of insufficient size. No special network position is required beyond the ability to deliver the file [1].

Impact

Successful exploitation allows arbitrary code execution in the context of the current user. The attacker gains full control over the affected system, including the ability to install programs, view, change, or delete data, and create new accounts with full user rights. The impact is high on confidentiality, integrity, and availability [1].

Mitigation

Microsoft has released security updates for affected Windows versions. The update addresses the heap overflow by improving validation of help file data. Users should apply the latest patches via Windows Update. As a workaround, users can disable the Windows Help functionality or avoid opening .hlp files from untrusted sources. The vulnerability is not currently listed on the Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. 'Microsoft Windows winhlp32.exe Heap Overflow Vulnerability'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

60
  • Microsoft/Windows 20006 versions
    cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
    • (no CPE)range: <= SP4
  • Microsoft/Windows Server 200312 versions
    cpe:2.3:o:microsoft:windows_2003_server:datacenter_64-bit:sp1_beta_1:*:*:*:*:*:*+ 11 more
    • cpe:2.3:o:microsoft:windows_2003_server:datacenter_64-bit:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise:*:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:r2:*:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:r2:*:datacenter_64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:r2:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:standard:*:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:standard:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:web:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:web:sp1_beta_1:*:*:*:*:*:*
  • Microsoft/Windows Nt32 versions
    cpe:2.3:o:microsoft:windows_nt:4.0:*:enterprise_server:*:*:*:*:*+ 31 more
    • cpe:2.3:o:microsoft:windows_nt:4.0:*:enterprise_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:*:server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp1:enterprise_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp1:server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp1:terminal_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp1:workstation:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp2:enterprise_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp2:server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp2:terminal_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp2:workstation:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp3:enterprise_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp3:server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp3:terminal_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp3:workstation:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp4:enterprise_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp4:server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp4:terminal_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp4:workstation:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp5:enterprise_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp5:server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp5:terminal_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp5:workstation:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:enterprise_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:terminal_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:workstation:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp6:enterprise_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp6:server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp6:terminal_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:sp6:workstation:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_nt:4.0:*:workstation:*:*:*:*:*
  • Microsoft/Windows Xp10 versions
    cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*+ 9 more
    • cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:*:media_center:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp1:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp1:media_center:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp2:home:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp2:media_center:*:*:*:*:*
    • (no CPE)range: <= SP2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.