CVE-2006-4071

Microsoft Windows XP and Server 2003 - Denial of Service via WMF File Sign Extension

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4071. PoCs published by cyanid-E.

AI-analyzed exploit summary This Perl script generates a malformed WMF file that triggers a denial-of-service vulnerability in Windows Explorer when the folder containing the file is browsed. The exploit leverages a parsing flaw in the handling of WMF files.

Description

Sign extension vulnerability in the createBrushIndirect function in the GDI library (gdi32.dll) in Microsoft Windows XP, Server 2003, and possibly other versions, allows user-assisted attackers to cause a denial of service (application crash) via a crafted WMF file.

Exploits (1)

exploitdb WORKING POC VERIFIED

by cyanid-E · perldoswindows

https://www.exploit-db.com/exploits/3111

View Code ZIP pw:eip

This Perl script generates a malformed WMF file that triggers a denial-of-service vulnerability in Windows Explorer when the folder containing the file is browsed. The exploit leverages a parsing flaw in the handling of WMF files.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows Explorer (affected versions include Windows XP)

No auth needed

Prerequisites: Ability to place a file in a directory accessible to the target user

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/28281

Exploit, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/21377

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/456585/100/0/threaded

Exploit mailing-list x_refsource_fulldisc

http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048530.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/19365

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/3111

Mailing List mailing-list x_refsource_fulldisc

http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048547.html

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/3180

Various Sources x_refsource_misc

http://determina.blogspot.com/2007/01/whats-wrong-with-wmf.html

Third Party Advisory third-party-advisory x_refsource_sreason

http://securityreason.com/securityalert/1353

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/21992

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/442426/100/0/threaded

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/442420/100/0/threaded

Scores

EPSS 0.2270

EPSS Percentile 97.4%

Details

Status published

Products (3)

microsoft/windows_2003_server r2

microsoft/windows_2003_server sp1

microsoft/windows_xp (3 CPE variants)

Published Aug 10, 2006

Tracked Since Feb 18, 2026