CVE-1999-0041

GNU libc - Buffer Overflow in NLS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-1999-0041. PoCs published by Solar Designer, Last Stage of Delirium.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in the Natural Language Service (NLS) libraries via the NLSPATH environment variable. It uses a crafted buffer to overwrite the stack and execute shellcode, granting unauthorized access via /bin/su.

Description

Buffer overflow in NLS (Natural Language Service).

Exploits (2)

exploitdb WORKING POC VERIFIED
by Solar Designer · clocalmultiple
https://www.exploit-db.com/exploits/19552

This exploit targets a buffer overflow vulnerability in the Natural Language Service (NLS) libraries via the NLSPATH environment variable. It uses a crafted buffer to overwrite the stack and execute shellcode, granting unauthorized access via /bin/su.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Cray UNICOS 9.0/9.2/MAX 1.3/mk 1.5, AIX <= 4.2, Linux libc <= 5.2.18, RedHat 4.0, IRIX 6.2, Slackware 3.1
No auth needed
Prerequisites: Vulnerable system with setuid/setgid binaries using NLS libraries · Ability to set environment variables
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Last Stage of Delirium · clocalmultiple
https://www.exploit-db.com/exploits/19551

This exploit targets a buffer overflow vulnerability in the Natural Language Service (NLS) libraries on multiple UNIX systems, including IRIX 6.2, by manipulating the NLSPATH environment variable. It uses shellcode to execute a shell with elevated privileges via vulnerable setuid/setgid binaries.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: UNIX systems with vulnerable NLS libraries (e.g., IRIX 6.2, AIX <= 4.2, Linux libc <= 5.2.18)
No auth needed
Prerequisites: Access to a vulnerable UNIX system with setuid/setgid binaries · Ability to set environment variables
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0041

Scores

EPSS 0.0909
EPSS Percentile 94.6%

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

Status published
Products (12)
cray/unicos 1.5
cray/unicos 9.0
cray/unicos 9.2
cray/unicos_max 1.3
gnu/libc 5.0.9
gnu/libc 5.2.18
gnu/libc 5.3.12
ibm/aix 3.2.5
ibm/aix 4.1
ibm/aix 4.2
... and 2 more
Published Feb 13, 1997
Tracked Since Feb 18, 2026