Vulnerability Note VU#41301

AOL Instant Messenger buffer overflow in screename

Original Release date: 16 Jan 2002 | Last revised: 31 Jan 2002


A buffer overflow exists in the AOL Instant Messenger (AIM) client versions 3.5.x and prior when accepting the screenname from the command line, or through the aim protocol.


AIM installs a protocol on the machine that enables people to post links on their websites, or send them in email messages to friends. For example:

<a href="aim:goim?screenname=myname">Send me an instant message here.</a>

One can also specify command line options to AIM for when it starts. AIM versions 3.5.x and prior contain a buffer overflow. When specifying a screenname using the aim protocol, or command line option, one can trigger a buffer overflow in the client.


A denial of service against the client can occur.


Upgrade to a version of AIM higher than 3.5.x.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AOL Time WarnerAffected17 Oct 200110 Jan 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was discovered by Joe Testa.

This document was written by Jason Rafail.

Other Information

  • CVE IDs: Unknown
  • Date Public: 15 Mar 2000
  • Date First Published: 16 Jan 2002
  • Date Last Updated: 31 Jan 2002
  • Severity Metric: 1.06
  • Document Revision: 10


If you have feedback, comments, or additional information about this vulnerability, please send us email.