CVE-2005-1984
Description
Buffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5- cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"An unchecked buffer in the Print Spooler service (Spoolsv.exe) allows a specially crafted message to overflow the buffer."
Attack vector
An attacker sends a specially crafted message to the Print Spooler service on an affected system [ref_id=1]. On Windows 2000 and Windows XP Service Pack 1, this can be done by any anonymous user over the network, as the service is reachable via null session pipes by default [ref_id=1]. On Windows XP Service Pack 2 and Windows Server 2003, the attack is restricted to authenticated users, and a remote attack vector only exists if a user with appropriate permissions has shared a printer or attempted to connect to a shared printer [ref_id=1]. The unchecked buffer in Spoolsv.exe overflows when processing the malicious message, potentially allowing arbitrary code execution [ref_id=1].
Affected code
The vulnerability resides in the Print Spooler service executable, Spoolsv.exe, which is installed as a service on Microsoft Windows 2000, Windows XP, and Windows Server 2003 [ref_id=1]. The advisory states that "an unchecked buffer in the Print Spooler service" is the cause [ref_id=1]. No specific function or file path within Spoolsv.exe is named in the available references.
What the fix does
The security update corrects the vulnerability by ensuring the Print Spooler service properly validates message length before copying data into a buffer [ref_id=1]. No patch diff is available in the bundle; the advisory only states that the update resolves the "unchecked buffer" condition [ref_id=1]. Microsoft recommends all affected customers apply the update immediately, and notes that disabling the Print Spooler service or removing SPOOLSS from the NullSessionPipes registry key can serve as interim workarounds [ref_id=1].
Preconditions
- networkOn Windows 2000 and Windows XP SP1: no authentication required; the Print Spooler service must be running and reachable over the network.
- authOn Windows XP SP2 and Windows Server 2003: the attacker must be authenticated, and a user with appropriate permissions must have shared a printer or attempted to connect to a shared printer to create a remote attack vector.
- configThe Print Spooler service (Spoolsv.exe) must be running (it is enabled by default).
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- secunia.com/advisories/16356/nvdPatchVendor Advisory
- www.us-cert.gov/cas/techalerts/TA05-221A.htmlnvdPatchUS Government Resource
- www.kb.cert.org/vuls/id/220821nvdUS Government Resource
- securitytracker.com/idnvd
- www.securityfocus.com/bid/14514nvd
- docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-043nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100077nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1045nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1405nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A256nvd
News mentions
0No linked articles in our index yet.