CVE-2003-0028

Exp

Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.

Published: 2003-03-25 Last update: 2026-04-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2003-0028 is rated High Exploit Risk (76.9/100): CVSS High severity, with high exploitation likelihood (EPSS 56.05%, 98th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2003-0028

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2003-0028

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-03-30 58.40% 56.05% -2.35%
2 2025-03-29 56.05% 58.40% +2.35%
3 2025-03-17 56.05%

Full EPSS history (8 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2003-0028

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2003-0028

OS Trackers for CVE-2003-0028

vendor priority summary link
debian not yet assigned CVE-2003-0028 not yet assigned priority: Debian including 3 source packages (dietlibc, glibc, krb5), 15 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 15. https://security-tracker.debian.org/tracker/CVE-2003-0028
redhat critical https://access.redhat.com/security/cve/CVE-2003-0028
suse medium CVE-2003-0028 severity moderate: SUSE including 5 source package names (libtirpc, libtirpc-devel, libtirpc-netconfig, libtirpc3, libtirpc3-32bit), 150 product×package rows across 38 product lines (SUSE CaaS Platform 4.0, SUSE Enterprise Storage 7, … (38 product lines)): Known Not Affected 150. https://www.suse.com/security/cve/CVE-2003-0028/

Affected software / configurations for CVE-2003-0028

Vendor Product Version Raw CPE
gnu glibc 2.1 cpe:2.3:a:gnu:glibc:2.1:*:*:*:*:*:*:*
gnu glibc 2.1.1 cpe:2.3:a:gnu:glibc:2.1.1:*:*:*:*:*:*:*
gnu glibc 2.1.2 cpe:2.3:a:gnu:glibc:2.1.2:*:*:*:*:*:*:*
gnu glibc 2.1.3 cpe:2.3:a:gnu:glibc:2.1.3:*:*:*:*:*:*:*
gnu glibc 2.2 cpe:2.3:a:gnu:glibc:2.2:*:*:*:*:*:*:*
gnu glibc 2.2.1 cpe:2.3:a:gnu:glibc:2.2.1:*:*:*:*:*:*:*
gnu glibc 2.2.2 cpe:2.3:a:gnu:glibc:2.2.2:*:*:*:*:*:*:*
gnu glibc 2.2.3 cpe:2.3:a:gnu:glibc:2.2.3:*:*:*:*:*:*:*
gnu glibc 2.2.4 cpe:2.3:a:gnu:glibc:2.2.4:*:*:*:*:*:*:*
gnu glibc 2.2.5 cpe:2.3:a:gnu:glibc:2.2.5:*:*:*:*:*:*:*
gnu glibc 2.3 cpe:2.3:a:gnu:glibc:2.3:*:*:*:*:*:*:*
gnu glibc 2.3.1 cpe:2.3:a:gnu:glibc:2.3.1:*:*:*:*:*:*:*
gnu glibc 2.3.2 cpe:2.3:a:gnu:glibc:2.3.2:*:*:*:*:*:*:*
mit kerberos_5 1.2 cpe:2.3:a:mit:kerberos_5:1.2:*:*:*:*:*:*:*
mit kerberos_5 1.2.1 cpe:2.3:a:mit:kerberos_5:1.2.1:*:*:*:*:*:*:*
mit kerberos_5 1.2.2 cpe:2.3:a:mit:kerberos_5:1.2.2:*:*:*:*:*:*:*
mit kerberos_5 1.2.3 cpe:2.3:a:mit:kerberos_5:1.2.3:*:*:*:*:*:*:*
mit kerberos_5 1.2.4 cpe:2.3:a:mit:kerberos_5:1.2.4:*:*:*:*:*:*:*
mit kerberos_5 1.2.5 cpe:2.3:a:mit:kerberos_5:1.2.5:*:*:*:*:*:*:*
mit kerberos_5 1.2.6 cpe:2.3:a:mit:kerberos_5:1.2.6:*:*:*:*:*:*:*
mit kerberos_5 1.2.7 cpe:2.3:a:mit:kerberos_5:1.2.7:*:*:*:*:*:*:*
openafs openafs 1.0 cpe:2.3:a:openafs:openafs:1.0:*:*:*:*:*:*:*
openafs openafs 1.0.1 cpe:2.3:a:openafs:openafs:1.0.1:*:*:*:*:*:*:*
openafs openafs 1.0.2 cpe:2.3:a:openafs:openafs:1.0.2:*:*:*:*:*:*:*
openafs openafs 1.0.3 cpe:2.3:a:openafs:openafs:1.0.3:*:*:*:*:*:*:*
openafs openafs 1.0.4 cpe:2.3:a:openafs:openafs:1.0.4:*:*:*:*:*:*:*
openafs openafs 1.0.4a cpe:2.3:a:openafs:openafs:1.0.4a:*:*:*:*:*:*:*
openafs openafs 1.1 cpe:2.3:a:openafs:openafs:1.1:*:*:*:*:*:*:*
openafs openafs 1.1.1 cpe:2.3:a:openafs:openafs:1.1.1:*:*:*:*:*:*:*
openafs openafs 1.1.1a cpe:2.3:a:openafs:openafs:1.1.1a:*:*:*:*:*:*:*
openafs openafs 1.2 cpe:2.3:a:openafs:openafs:1.2:*:*:*:*:*:*:*
openafs openafs 1.2.1 cpe:2.3:a:openafs:openafs:1.2.1:*:*:*:*:*:*:*
openafs openafs 1.2.2 cpe:2.3:a:openafs:openafs:1.2.2:*:*:*:*:*:*:*
openafs openafs 1.2.2a cpe:2.3:a:openafs:openafs:1.2.2a:*:*:*:*:*:*:*
openafs openafs 1.2.2b cpe:2.3:a:openafs:openafs:1.2.2b:*:*:*:*:*:*:*
openafs openafs 1.2.3 cpe:2.3:a:openafs:openafs:1.2.3:*:*:*:*:*:*:*
openafs openafs 1.2.4 cpe:2.3:a:openafs:openafs:1.2.4:*:*:*:*:*:*:*
openafs openafs 1.2.5 cpe:2.3:a:openafs:openafs:1.2.5:*:*:*:*:*:*:*
openafs openafs 1.2.6 cpe:2.3:a:openafs:openafs:1.2.6:*:*:*:*:*:*:*
openafs openafs 1.3 cpe:2.3:a:openafs:openafs:1.3:*:*:*:*:*:*:*
openafs openafs 1.3.1 cpe:2.3:a:openafs:openafs:1.3.1:*:*:*:*:*:*:*
openafs openafs 1.3.2 cpe:2.3:a:openafs:openafs:1.3.2:*:*:*:*:*:*:*
sgi irix 6.5 cpe:2.3:o:sgi:irix:6.5:*:*:*:*:*:*:*
sgi irix 6.5.1 cpe:2.3:o:sgi:irix:6.5.1:*:*:*:*:*:*:*
sgi irix 6.5.2 cpe:2.3:o:sgi:irix:6.5.2:*:*:*:*:*:*:*
sgi irix 6.5.2f cpe:2.3:o:sgi:irix:6.5.2f:*:*:*:*:*:*:*
sgi irix 6.5.2m cpe:2.3:o:sgi:irix:6.5.2m:*:*:*:*:*:*:*
sgi irix 6.5.3 cpe:2.3:o:sgi:irix:6.5.3:*:*:*:*:*:*:*
sgi irix 6.5.3f cpe:2.3:o:sgi:irix:6.5.3f:*:*:*:*:*:*:*
sgi irix 6.5.3m cpe:2.3:o:sgi:irix:6.5.3m:*:*:*:*:*:*:*
sgi irix 6.5.4 cpe:2.3:o:sgi:irix:6.5.4:*:*:*:*:*:*:*
sgi irix 6.5.4f cpe:2.3:o:sgi:irix:6.5.4f:*:*:*:*:*:*:*
sgi irix 6.5.4m cpe:2.3:o:sgi:irix:6.5.4m:*:*:*:*:*:*:*
sgi irix 6.5.5 cpe:2.3:o:sgi:irix:6.5.5:*:*:*:*:*:*:*
sgi irix 6.5.5f cpe:2.3:o:sgi:irix:6.5.5f:*:*:*:*:*:*:*
sgi irix 6.5.5m cpe:2.3:o:sgi:irix:6.5.5m:*:*:*:*:*:*:*
sgi irix 6.5.6 cpe:2.3:o:sgi:irix:6.5.6:*:*:*:*:*:*:*
sgi irix 6.5.6f cpe:2.3:o:sgi:irix:6.5.6f:*:*:*:*:*:*:*
sgi irix 6.5.6m cpe:2.3:o:sgi:irix:6.5.6m:*:*:*:*:*:*:*
sgi irix 6.5.7 cpe:2.3:o:sgi:irix:6.5.7:*:*:*:*:*:*:*
sgi irix 6.5.7f cpe:2.3:o:sgi:irix:6.5.7f:*:*:*:*:*:*:*
sgi irix 6.5.7m cpe:2.3:o:sgi:irix:6.5.7m:*:*:*:*:*:*:*
sgi irix 6.5.8 cpe:2.3:o:sgi:irix:6.5.8:*:*:*:*:*:*:*
sgi irix 6.5.8f cpe:2.3:o:sgi:irix:6.5.8f:*:*:*:*:*:*:*
sgi irix 6.5.8m cpe:2.3:o:sgi:irix:6.5.8m:*:*:*:*:*:*:*
sgi irix 6.5.9 cpe:2.3:o:sgi:irix:6.5.9:*:*:*:*:*:*:*
sgi irix 6.5.9f cpe:2.3:o:sgi:irix:6.5.9f:*:*:*:*:*:*:*
sgi irix 6.5.9m cpe:2.3:o:sgi:irix:6.5.9m:*:*:*:*:*:*:*
sgi irix 6.5.10 cpe:2.3:o:sgi:irix:6.5.10:*:*:*:*:*:*:*
sgi irix 6.5.10f cpe:2.3:o:sgi:irix:6.5.10f:*:*:*:*:*:*:*
sgi irix 6.5.10m cpe:2.3:o:sgi:irix:6.5.10m:*:*:*:*:*:*:*
sgi irix 6.5.11 cpe:2.3:o:sgi:irix:6.5.11:*:*:*:*:*:*:*
sgi irix 6.5.11f cpe:2.3:o:sgi:irix:6.5.11f:*:*:*:*:*:*:*
sgi irix 6.5.11m cpe:2.3:o:sgi:irix:6.5.11m:*:*:*:*:*:*:*
sgi irix 6.5.12 cpe:2.3:o:sgi:irix:6.5.12:*:*:*:*:*:*:*
sgi irix 6.5.12f cpe:2.3:o:sgi:irix:6.5.12f:*:*:*:*:*:*:*
sgi irix 6.5.12m cpe:2.3:o:sgi:irix:6.5.12m:*:*:*:*:*:*:*
sgi irix 6.5.13 cpe:2.3:o:sgi:irix:6.5.13:*:*:*:*:*:*:*
sgi irix 6.5.13f cpe:2.3:o:sgi:irix:6.5.13f:*:*:*:*:*:*:*
sgi irix 6.5.13m cpe:2.3:o:sgi:irix:6.5.13m:*:*:*:*:*:*:*

References for CVE-2003-0028

URL Tags
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-008.txt.asc
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0140.html
http://marc.info/?l=bugtraq&m=104810574423662&w=2
http://marc.info/?l=bugtraq&m=104811415301340&w=2
http://marc.info/?l=bugtraq&m=104860855114117&w=2
http://marc.info/?l=bugtraq&m=104878237121402&w=2
http://marc.info/?l=bugtraq&m=105362148313082&w=2
http://www.cert.org/advisories/CA-2003-10.html Patch Third Party Advisory US Government Resource
http://www.debian.org/security/2003/dsa-266
http://www.debian.org/security/2003/dsa-272
http://www.debian.org/security/2003/dsa-282
http://www.eeye.com/html/Research/Advisories/AD20030318.html Exploit Vendor Advisory
http://www.kb.cert.org/vuls/id/516825 US Government Resource
http://www.linuxsecurity.com/advisories/engarde_advisory-3024.html
http://www.mandriva.com/security/advisories?name=MDKSA-2003:037
http://www.novell.com/linux/security/advisories/2003_027_glibc.html
http://www.redhat.com/support/errata/RHSA-2003-051.html
http://www.redhat.com/support/errata/RHSA-2003-052.html
http://www.redhat.com/support/errata/RHSA-2003-089.html
http://www.redhat.com/support/errata/RHSA-2003-091.html
http://www.securityfocus.com/archive/1/315638/30/25430/threaded
http://www.securityfocus.com/archive/1/316931/30/25250/threaded
http://www.securityfocus.com/archive/1/316960/30/25250/threaded
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A230
https://security.netapp.com/advisory/ntap-20150122-0002/
cvelogic Threat Intelligence