CVE-2013-1950

libtirpc < 0.2.3 - Denial of Service via Crafted Sun RPC Arguments

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-1950. PoCs published by Sean Verity.

AI-analyzed exploit summary This Ruby script exploits CVE-2013-1950 by sending a malformed UDP packet to rpcbind with an argument length > 8944, causing a crash. It targets the CALLIT procedure in rpcbind versions affected by this vulnerability.

Description

The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer.

Exploits (1)

exploitdb WORKING POC
by Sean Verity · rubydoslinux
https://www.exploit-db.com/exploits/26887

This Ruby script exploits CVE-2013-1950 by sending a malformed UDP packet to rpcbind with an argument length > 8944, causing a crash. It targets the CALLIT procedure in rpcbind versions affected by this vulnerability.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: rpcbind-0.2.0-19
No auth needed
Prerequisites: Network access to the target's rpcbind service (port 111/UDP)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=948378
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0884.html

Scores

EPSS 0.0646
EPSS Percentile 92.9%

Details

CWE
CWE-399
Status published
Products (8)
libtirpc_project/libtirpc 0.1.8
libtirpc_project/libtirpc 0.1.9
libtirpc_project/libtirpc 0.1.10
libtirpc_project/libtirpc 0.1.11
libtirpc_project/libtirpc 0.2.0
libtirpc_project/libtirpc 0.2.1
libtirpc_project/libtirpc 0.2.2
libtirpc_project/libtirpc < 0.2.3
Published Jul 09, 2013
Tracked Since Feb 18, 2026