Vulnerability Note VU#755755

Yahoo! Messenger contains a buffer overflow in "set_buddygrp" when adding users to a buddy list via the web

Original Release date: 05 Jun 2002 | Last revised: 05 Jun 2002


Yahoo! Messenger is an instant messaging client. There is a remotely exploitable buffer overflow vulnerability in the "set_buddygrp" field of Yahoo! Messenger.


A remotely exploitable buffer overflow exists in the "set_buddygrp" field that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. It is possible to crash the Yahoo! Messenger client by overflowing the "set_buddygrp" field.


Exploitation of this vulnerability crashes the application, resulting in a denial-of-service condition. However, this vulnerability is a buffer overflow, and may allow the execution of arbitrary code on the local system with the privileges of the current user.


This vulnerability was fixed by a sever-side resolution in February 2002. No user action is required.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
YahooAffected31 May 200205 Jun 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A


  • None


This vulnerability was discovered by Adam Lang.

This document was written by Jason Rafail.

Other Information

  • CVE IDs: Unknown
  • CERT Advisory: CA-2002-16
  • Date Public: 26 Feb 2002
  • Date First Published: 05 Jun 2002
  • Date Last Updated: 05 Jun 2002
  • Severity Metric: 22.78
  • Document Revision: 21


If you have feedback, comments, or additional information about this vulnerability, please send us email.