CVE-2004-2099
Description
Buffer overflow in Need for Speed Hot Pursuit 2 client (version 242 and earlier) allows a malicious server to execute arbitrary code via crafted server reply strings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in Need for Speed Hot Pursuit 2 client (version 242 and earlier) allows a malicious server to execute arbitrary code via crafted server reply strings.
Vulnerability
The NFSHP2 client (version 242 and earlier) contains a buffer overflow vulnerability in the handling of server reply strings. When the client enters the Multiplayer screen, it automatically queries servers from a master list and processes replies. The parameters gamename, gamever, hostname, gametype, mapname, and gamemode are copied into fixed-size buffers without bounds checking, allowing an overflow [1].
Exploitation
An attacker controlling a malicious server can send a crafted reply containing an overly long string in any of the vulnerable parameters. The client automatically processes this reply without user interaction, triggering the overflow. The advisory demonstrates the vulnerable code path and provides proof-of-concept code [1].
Impact
Successful exploitation allows the attacker (server) to execute arbitrary code on the client's machine with the privileges of the user running the game. This can lead to full compromise of the affected system [1].
Mitigation
No official patch was released by Electronic Arts for this vulnerability. The game is likely end-of-life. Users are advised to avoid connecting to untrusted servers or to apply third-party patches if available. The advisory notes that the bug was discovered in version 242 and earlier [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- cpe:2.3:a:electronic_arts:need_for_speed_hot_pursuit_2:*:*:*:*:*:*:*:*Range: <=242.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The game client does not properly validate the length of several commands sent by a remote server, leading to a buffer overflow."
Attack vector
A remote attacker can act as a malicious server and send specially crafted commands to the Need for Speed Hot Pursuit 2.0 client (version 242 and earlier). These commands, including gamename, gamever, hostname, gametype, mapname, or gamemode, can be excessively long. When the client processes these long commands, it overflows a buffer, allowing the attacker to potentially execute arbitrary code.
Affected code
The vulnerability lies within the client's handling of network commands. Specifically, the code does not perform adequate bounds checking on the data received for commands such as 'gamename', 'gamever', 'hostname', 'gametype', 'mapname', and 'gamemode'. The provided exploit code [ref_id=1] demonstrates how to overwrite a return address by sending a long string for the 'hostname' field.
What the fix does
The advisory does not specify a patch or provide remediation guidance. Therefore, the patch does not show any changes. Users are advised to upgrade to a non-vulnerable version if available.
Preconditions
- inputThe client must receive commands from a remote server.
- networkThe client must be connected to a network where a malicious server can send data.
Reproduction
The provided reference [ref_id=1] includes a Proof of Concept (PoC) exploit, which can be used to reproduce the vulnerability.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.