CVE-2000-0073

Microsoft Windows 2000 98 and NT - Denial of Service via Malformed RTF Control Word

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2000-0073. PoCs published by Pauli Ojanpera.

AI-analyzed exploit summary The exploit describes a buffer overflow vulnerability in Riched20.dll and Riched32.dll, which parse Rich Text Format (RTF) files. By inserting 32 (or more) characters after the .rtf identifier in an RTF file, an attacker can crash applications like Wordpad, potentially executing arbitrary code at the user's privilege level.

Description

Buffer overflow in Microsoft Rich Text Format (RTF) reader allows attackers to cause a denial of service via a malformed control word.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Pauli Ojanpera · textlocalwindows
https://www.exploit-db.com/exploits/19633

The exploit describes a buffer overflow vulnerability in Riched20.dll and Riched32.dll, which parse Rich Text Format (RTF) files. By inserting 32 (or more) characters after the .rtf identifier in an RTF file, an attacker can crash applications like Wordpad, potentially executing arbitrary code at the user's privilege level.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Windows 95/98, Windows NT Enterprise Server 4.0 SP1-SP6, Windows NT Server 4.0 SP1-SP6a, Windows NT Terminal Server 4.0 SP1-SP6, Windows NT Workstation 4.0 SP1-SP6a
No auth needed
Prerequisites: Victim must open a maliciously crafted RTF file
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Vendor Advisory vendor-advisory x_refsource_mskb
http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ249973

Scores

EPSS 0.2440
EPSS Percentile 97.6%

Details

Status published
Products (3)
microsoft/windows_2000
microsoft/windows_98
microsoft/windows_nt 4.0
Published Nov 17, 1999
Tracked Since Feb 18, 2026