search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Winny contains a buffer overflow

Vulnerability Note VU#167033

Original Release Date: 2006-04-28 | Last Revised: 2006-05-31


Winny contains a buffer overflow. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.


Winny (also referred to as WinNY) is a popular Japanese peer-to-peer file sharing application. A flaw exists in this program due to an unbounded strcpy() of remotely-supplied user input during the handling of certain commands provided by the file transfer feature. This flaw results in a heap-based buffer overflow vulnerability due to the lack of validation on the size of user input. A remote attacker may be able exploit this vulnerability by sending a specially crafted message to a vulnerable Winny installation.


A remote unauthenticated attacker may be able to execute arbitrary code on a system running the vulnerable software. The attacker-supplied code would be executed in the context of the user running Winny.


The CERT/CC is currently unaware of a practical solution to this problem.


Discontinue use of the product
Due to extenuating circumstances, the author is unable to provide patches for this issue. Users concerned with security should consider discontinuing use of the product.

Vendor Information

CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



Thanks to JPCERT/CC for reporting this vulnerability. Discovery and research of this vulnerability was performed by eEye Digital Security.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2006-2007
Severity Metric: 3.42
Date Public: 2006-04-21
Date First Published: 2006-04-28
Date Last Updated: 2006-05-31 13:17 UTC
Document Revision: 30

Sponsored by CISA.