search menu icon-carat-right cmu-wordmark

CERT Coordination Center

AOL Instant Messenger buffer overflow in screename

Vulnerability Note VU#41301

Original Release Date: 2002-01-16 | Last Revised: 2002-01-31


A buffer overflow exists in the AOL Instant Messenger (AIM) client versions 3.5.x and prior when accepting the screenname from the command line, or through the aim protocol.


AIM installs a protocol on the machine that enables people to post links on their websites, or send them in email messages to friends. For example:

<a href="aim:goim?screenname=myname">Send me an instant message here.</a>

One can also specify command line options to AIM for when it starts. AIM versions 3.5.x and prior contain a buffer overflow. When specifying a screenname using the aim protocol, or command line option, one can trigger a buffer overflow in the client.


A denial of service against the client can occur.


Upgrade to a version of AIM higher than 3.5.x.

Vendor Information

Expand all

AOL Time Warner

Notified:  October 17, 2001 Updated:  January 10, 2002



Vendor Statement

This is fixed and only occurred up to our 3.5 builds.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A



This vulnerability was discovered by Joe Testa.

This document was written by Jason Rafail.

Other Information

CVE IDs: None
Severity Metric: 1.06
Date Public: 2000-03-15
Date First Published: 2002-01-16
Date Last Updated: 2002-01-31 21:53 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.