Microsoft Windows Nt

Aug 2025: NT OS Kernel Information Disclosure Vulnerability
CVE-2025-53136 5.5 - Medium - August 12, 2025

Exposure of sensitive information to an unauthorized actor in Windows NT OS Kernel allows an authorized attacker to disclose information locally.

Information Disclosure

CVE-2024-43623: Windows NT OS Kernel Elevation of Privilege
CVE-2024-43623 7.8 - High - November 12, 2024

Windows NT OS Kernel Elevation of Privilege Vulnerability

The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which
CVE-2010-0232 7.8 - High - January 21, 2010

The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors
CVE-2008-4609 - October 20, 2008

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.

Configuration

The HxTocCtrl ActiveX control (hxvz.dll), as used in Microsoft Internet Explorer 5.01 SP4 and 6 SP1, in Windows XP SP2, Server 2003 SP1 and SP2, Vista SP1, and Server 2008
CVE-2008-1086 - April 08, 2008

The HxTocCtrl ActiveX control (hxvz.dll), as used in Microsoft Internet Explorer 5.01 SP4 and 6 SP1, in Windows XP SP2, Server 2003 SP1 and SP2, Vista SP1, and Server 2008, allows remote attackers to execute arbitrary code via malformed arguments, which triggers memory corruption.

Microsoft Internet Explorer 6.0 on Windows NT 4.0 SP6a, Windows 2000 SP4, Windows XP SP1, Windows XP SP2, and Windows Server 2003 SP1 allows remote attackers to cause a denial of service (client crash) via a certain combination of a malformed HTML file and a CSS file
CVE-2005-4717 - December 31, 2005

Microsoft Internet Explorer 6.0 on Windows NT 4.0 SP6a, Windows 2000 SP4, Windows XP SP1, Windows XP SP2, and Windows Server 2003 SP1 allows remote attackers to cause a denial of service (client crash) via a certain combination of a malformed HTML file and a CSS file that triggers a null dereference, probably related to rendering of a DIV element that contains a malformed IMG tag, as demonstrated by IEcrash.htm and IEcrash.rar.

The POSIX component of Microsoft Windows NT and Windows 2000
CVE-2004-0210 7.8 - High - August 06, 2004

The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.

Classic Buffer Overflow

Double free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x
CVE-2003-1048 - July 27, 2004

Double free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.

A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed
CVE-2003-0813 - November 17, 2003

A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.

The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which
CVE-2002-0862 - October 04, 2002

The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.

NTFS file system in Windows NT 4.0 and Windows 2000 SP2
CVE-2002-0725 - September 05, 2002

NTFS file system in Windows NT 4.0 and Windows 2000 SP2 allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.

Integer overflow in xdr_array function in RPC servers for operating systems
CVE-2002-0391 9.8 - Critical - August 12, 2002

Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.

Integer Overflow or Wraparound

smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs
CVE-2002-0367 7.8 - High - June 25, 2002

smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.

Improper Privilege Management

By default, DNS servers on Windows NT 4.0 and Windows 2000 Server cache glue records received from non-delegated name servers, which
CVE-2001-1452 - August 31, 2001

By default, DNS servers on Windows NT 4.0 and Windows 2000 Server cache glue records received from non-delegated name servers, which allows remote attackers to poison the DNS cache via spoofed DNS responses.

The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which
CVE-2001-0006 - February 12, 2001

The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which allows local users to modify the permissions to "No Access" and disable Winsock network connectivity to cause a denial of service, aka the "Winsock Mutex" vulnerability.

A Windows NT administrator account has the default name of Administrator.
CVE-1999-0585 - July 01, 2000

A Windows NT administrator account has the default name of Administrator.

A system does not present an appropriate legal message or warning to a user who is accessing it.
CVE-1999-0590 - June 01, 2000

A system does not present an appropriate legal message or warning to a user who is accessing it.

The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts
CVE-2000-1218 9.8 - Critical - April 14, 2000

The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache.

Origin Validation Error

Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP server
CVE-2000-0129 - February 04, 2000

Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP server allows attackers to cause a denial of service by performing a LIST command on a malformed .lnk file.

A Windows NT system does not clear the system page file during shutdown, which might
CVE-1999-0595 - January 20, 2000

A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded.

Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which
CVE-1999-1127 7.5 - High - December 31, 1999

Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability.

Missing Release of Resource after Effective Lifetime

Denial of service in Windows NT messenger service through a long username.
CVE-1999-0224 - July 23, 1999

Denial of service in Windows NT messenger service through a long username.

Denial of service in RAS/PPTP on NT systems.
CVE-1999-0140 - June 30, 1999

Denial of service in RAS/PPTP on NT systems.

Remote attackers can perform a denial of service in Windows machines using malicious ARP packets
CVE-1999-0444 - April 12, 1999

Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.

Windows NT 4.0 beta
CVE-1999-0119 - January 19, 1999

Windows NT 4.0 beta allows users to read and delete shares.

The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused
CVE-1999-0391 - January 05, 1999

The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user.

A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.
CVE-1999-0579 - January 01, 1999

A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.

Windows NT TCP/IP processes fragmented IP packets improperly
CVE-1999-0226 - January 01, 1999

Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.

Data Processing Errors

Denial of service in telnet
CVE-1999-0285 - January 01, 1999

Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.

Windows NT automatically logs in an administrator upon rebooting.
CVE-1999-0549 - January 01, 1999

Windows NT automatically logs in an administrator upon rebooting.

A system-critical Windows NT file or directory has inappropriate permissions.
CVE-1999-0560 - January 01, 1999

A system-critical Windows NT file or directory has inappropriate permissions.

Windows NT is not using a password filter utility, e.g
CVE-1999-0570 - January 01, 1999

Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.
CVE-1999-0577 - January 01, 1999

A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.

A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.
CVE-1999-0578 - January 01, 1999

A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.

The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate
CVE-1999-0581 - January 01, 1999

The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions.

A Windows NT domain user or administrator account has a guessable password.
CVE-1999-0505 - October 01, 1998

A Windows NT domain user or administrator account has a guessable password.

A Windows NT domain user or administrator account has a default
CVE-1999-0506 - October 01, 1998

A Windows NT domain user or administrator account has a default, null, blank, or missing password.

The Windows NT guest account is enabled.
CVE-1999-0546 - October 01, 1998

The Windows NT guest account is enabled.

Bonk variation of teardrop IP fragmentation denial of service.
CVE-1999-0258 - February 13, 1998

Bonk variation of teardrop IP fragmentation denial of service.

Land IP denial of service.
CVE-1999-0016 - December 01, 1997

Land IP denial of service.

Listening TCP ports are sequentially allocated
CVE-1999-0074 - July 01, 1997

Listening TCP ports are sequentially allocated, allowing spoofing attacks.

Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.
CVE-1999-0275 - June 10, 1997

Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.

Denial of service through Winpopup using large user names.
CVE-1999-0292 - April 01, 1997

Denial of service through Winpopup using large user names.

A version of finger is running
CVE-1999-0612 - March 01, 1997

A version of finger is running that exposes valid user information to any entity on the network.

Windows NT RSHSVC program
CVE-1999-0249 - January 01, 1997

Windows NT RSHSVC program allows remote users to execute arbitrary commands.

A Windows NT local user or administrator account has a guessable password.
CVE-1999-0503 - January 01, 1997

A Windows NT local user or administrator account has a guessable password.

Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query
CVE-1999-0274 - January 01, 1997

Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.

NETBIOS share information may be published through SNMP registry keys in NT.
CVE-1999-0499 - January 01, 1997

NETBIOS share information may be published through SNMP registry keys in NT.

A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g
CVE-1999-0582 - January 01, 1997

A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc.

A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.
CVE-1999-0576 - January 01, 1997

A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.