CVE-2004-1492

Vulnerability

Master of Orion III versions 1.2.5 and earlier contain a denial-of-service vulnerability in the network protocol handling. Each data packet exchanged between clients and the server includes a 32-bit size field that the game uses to allocate memory. If an attacker sends a packet with an excessively large size value, the memory allocation fails and the game exits immediately [1].

Exploitation

An unauthenticated remote attacker can send a crafted data packet to a Master of Orion III server or client. The packet must contain a size specifier larger than the game can allocate. No user interaction is required; the game processes the packet and attempts the allocation, causing a crash [1].

Impact

Successful exploitation results in a denial of service: the game process terminates. No data is corrupted or disclosed, and no code execution is achieved. The crash affects both server and client instances [1].

Mitigation

No official patch has been released for this vulnerability. Master of Orion III is a legacy game and is no longer supported. As a workaround, restrict network access to the game to trusted hosts or play offline. The vulnerability is listed in the CVE database but not on the CISA KEV [1].