CVE-2006-4071 - Vulnerability Details - OpenCVE

Sign extension vulnerability in the createBrushIndirect function in the GDI library (gdi32.dll) in Microsoft Windows XP, Server 2003, and possibly other versions, allows user-assisted attackers to cause a denial of service (application crash) via a crafted WMF file.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Windows 2003 Server Windows Xp

Configuration 1 [-]

OR	cpe:2.3:o:microsoft:windows_2003_server:r2:::::::*
	cpe:2.3:o:microsoft:windows_2003_server:sp1:::::::*
	cpe:2.3:o:microsoft:windows_xp::gold::::::*
	cpe:2.3:o:microsoft:windows_xp::sp1:tablet_pc:::::
	cpe:2.3:o:microsoft:windows_xp::sp2:tablet_pc:::::

No data.

References

Link	Providers
http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048530.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048547.html
http://secunia.com/advisories/21377
http://securityreason.com/securityalert/1353
http://www.securityfocus.com/archive/1/442420/100/0/threaded
http://www.securityfocus.com/archive/1/442426/100/0/threaded
http://www.securityfocus.com/archive/1/456585/100/0/threaded
http://www.securityfocus.com/bid/19365
http://www.securityfocus.com/bid/21992
http://www.vupen.com/english/advisories/2006/3180
https://exchange.xforce.ibmcloud.com/vulnerabilities/28281
https://www.exploit-db.com/exploits/3111

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.22388}`	epss `{'score': 0.22839}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-08-10T01:00:00

Updated: 2024-08-07T18:57:45.582Z

Reserved: 2006-08-09T00:00:00

Link: CVE-2006-4071

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2006-08-10T01:04:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2006-4071

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-08-06T00:00:00", "descriptions": [{"lang": "en", "value": "Sign extension vulnerability in the createBrushIndirect function in the GDI library (gdi32.dll) in Microsoft Windows XP, Server 2003, and possibly other versions, allows user-assisted attackers to cause a denial of service (application crash) via a crafted WMF file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "windows-wmf-gdi32-dos(28281)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28281"}, {"name": "20070111 WMF CreateBrushIndirect vulnerability (DoS)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/456585/100/0/threaded"}, {"name": "20060806 0-day XP SP2 wmf exploit", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048530.html"}, {"name": "19365", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/19365"}, {"name": "3111", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/3111"}, {"name": "20060807 0-day XP SP2 wmf exploit (some details)", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048547.html"}, {"name": "ADV-2006-3180", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/3180"}, {"name": "21377", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/21377"}, {"tags": ["x_refsource_MISC"], "url": "http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html"}, {"name": "1353", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/1353"}, {"name": "21992", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/21992"}, {"name": "20060806 0-day XP SP2 wmf exploit", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/442426/100/0/threaded"}, {"name": "20060807 0-day XP SP2 wmf exploit (some details)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/442420/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-4071", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sign extension vulnerability in the createBrushIndirect function in the GDI library (gdi32.dll) in Microsoft Windows XP, Server 2003, and possibly other versions, allows user-assisted attackers to cause a denial of service (application crash) via a crafted WMF file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "windows-wmf-gdi32-dos(28281)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28281"}, {"name": "20070111 WMF CreateBrushIndirect vulnerability (DoS)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/456585/100/0/threaded"}, {"name": "20060806 0-day XP SP2 wmf exploit", "refsource": "FULLDISC", "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048530.html"}, {"name": "19365", "refsource": "BID", "url": "http://www.securityfocus.com/bid/19365"}, {"name": "3111", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/3111"}, {"name": "20060807 0-day XP SP2 wmf exploit (some details)", "refsource": "FULLDISC", "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048547.html"}, {"name": "ADV-2006-3180", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/3180"}, {"name": "21377", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/21377"}, {"name": "http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html", "refsource": "MISC", "url": "http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html"}, {"name": "1353", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/1353"}, {"name": "21992", "refsource": "BID", "url": "http://www.securityfocus.com/bid/21992"}, {"name": "20060806 0-day XP SP2 wmf exploit", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/442426/100/0/threaded"}, {"name": "20060807 0-day XP SP2 wmf exploit (some details)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/442420/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T18:57:45.582Z"}, "title": "CVE Program Container", "references": [{"name": "windows-wmf-gdi32-dos(28281)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28281"}, {"name": "20070111 WMF CreateBrushIndirect vulnerability (DoS)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/456585/100/0/threaded"}, {"name": "20060806 0-day XP SP2 wmf exploit", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048530.html"}, {"name": "19365", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/19365"}, {"name": "3111", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/3111"}, {"name": "20060807 0-day XP SP2 wmf exploit (some details)", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048547.html"}, {"name": "ADV-2006-3180", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2006/3180"}, {"name": "21377", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/21377"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html"}, {"name": "1353", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/1353"}, {"name": "21992", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/21992"}, {"name": "20060806 0-day XP SP2 wmf exploit", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/442426/100/0/threaded"}, {"name": "20060807 0-day XP SP2 wmf exploit (some details)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/442420/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-4071", "datePublished": "2006-08-10T01:00:00", "dateReserved": "2006-08-09T00:00:00", "dateUpdated": "2024-08-07T18:57:45.582Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:*", "matchCriteriaId": "4E7FD818-322D-4089-A644-360C33943D29", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*", "matchCriteriaId": "644E2E89-F3E3-4383-B460-424D724EE62F", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_xp:*:gold:*:*:*:*:*:*", "matchCriteriaId": "580B0C9B-DD85-40FA-9D37-BAC0C96D57FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*", "matchCriteriaId": "B9687E6C-EDE9-42E4-93D0-C4144FEC917A", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*", "matchCriteriaId": "FB2BE2DE-7B06-47ED-A674-15D45448F357", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sign extension vulnerability in the createBrushIndirect function in the GDI library (gdi32.dll) in Microsoft Windows XP, Server 2003, and possibly other versions, allows user-assisted attackers to cause a denial of service (application crash) via a crafted WMF file."}, {"lang": "es", "value": "Vulnerabilidad de extensi\u00f3n de signo en la funci\u00f3n createBrushIndirect en la librer\u00eda GDI (gdi32.dll) en Microsoft Windows XP, Server 2003, y posiblemente otras versiones, permite a atacantes con asistencia del usuario causar una denegaci\u00f3n de servicio (ca\u00edda de aplicaci\u00f3n) mediante un fichero WMF artesanal."}], "id": "CVE-2006-4071", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2006-08-10T01:04:00.000", "references": [{"source": "cve@mitre.org", "url": "http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048530.html"}, {"source": "cve@mitre.org", "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048547.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://secunia.com/advisories/21377"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/1353"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/442420/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/442426/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/456585/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/19365"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/21992"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2006/3180"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28281"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/3111"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048530.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048547.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "http://secunia.com/advisories/21377"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/1353"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/442420/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/442426/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/456585/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/19365"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/21992"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2006/3180"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28281"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.exploit-db.com/exploits/3111"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}