CVE-2005-3120

CRITICAL

lynx < 2.8.6 - Remote Code Execution via HTrjis Asian Character Handling

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2005-3120. PoCs published by Ulf Harnhammar, gitcollect.

AI-analyzed exploit summary This exploit is a Perl script that sets up a fake NNTP server to trigger a buffer overflow in vulnerable Lynx versions via a maliciously crafted 'Subject' header. The overflow is achieved by sending a long string of characters to exploit the vulnerability.

Description

Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Ulf Harnhammar · perldosmultiple

https://www.exploit-db.com/exploits/1256

View Code ZIP pw:eip

This exploit is a Perl script that sets up a fake NNTP server to trigger a buffer overflow in vulnerable Lynx versions via a maliciously crafted 'Subject' header. The overflow is achieved by sending a long string of characters to exploit the vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Lynx (versions vulnerable to CVE-2005-3120)

No auth needed

Prerequisites: Network access to the target · Target must connect to the malicious NNTP server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github NO CODE

by gitcollect · cpoc

https://github.com/gitcollect/CVE_Exploits/tree/master/cve-2005-3120

View Code ZIP pw:eip

References (35)

Core 35

Core References

Broken Link vendor-advisory x_refsource_openpkg

http://www.openpkg.org/security/OpenPKG-SA-2005.026-lynx.html

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/435689/30/4740/threaded

Issue Tracking x_refsource_misc

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170253

Broken Link, Third Party Advisory, VDB Entry vendor-advisory x_refsource_fedora

http://www.securityfocus.com/archive/1/419763/100/0/threaded

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/15117

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1015065

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/18376

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17216

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17480

Broken Link vendor-advisory x_refsource_trustix

http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html

Broken Link vendor-advisory x_refsource_slackware

http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.423056

Broken Link vendor-advisory x_refsource_sco

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.47/SCOSA-2005.47.txt

Broken Link, Patch, Vendor Advisory mailing-list x_refsource_fulldisc

http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17444

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2006/dsa-1085

Third Party Advisory vendor-advisory x_refsource_gentoo

http://www.gentoo.org/security/en/glsa/glsa-200510-15.xml

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/18584

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17238

Broken Link vendor-advisory x_refsource_suse

http://www.novell.com/linux/security/advisories/2005_25_sr.html

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17150

Third Party Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDKSA-2005:186

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17248

Third Party Advisory x_refsource_confirm

http://support.avaya.com/elmodocs2/security/ASA-2006-010.htm

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17360

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17445

Broken Link vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/206-1/

Broken Link vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9257

Broken Link, Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2005-803.html

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17231

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17230

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17340

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/20383

Broken Link vendor-advisory x_refsource_sco

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.7/SCOSA-2006.7.txt

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2005/dsa-874

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2005/dsa-876

Scores

CVSS v3 9.8

EPSS 0.3044

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-131

Status published

Products (3)

debian/debian_linux 3.0

debian/debian_linux 3.1

invisible-island/lynx < 2.8.6

Published Oct 17, 2005

Tracked Since Feb 18, 2026