cbcvebase.
CVE-2006-3086
published 2006-06-19

CVE-2006-3086: Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to…

PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
56.46%
98.9th percentile
Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hyperlink, as demonstrated using an Excel worksheet with a long link in Unicode, aka "Hyperlink COM Object Buffer Overflow Vulnerability." NOTE: this is a different issue than CVE-2006-3059.

Affected

5 ranges
VendorProductVersion rangeFixed in
microsoftexcel
microsoftexcel
microsoftexcel
microsoftexcel
microsoftexcel_viewer

Detection & IOCsextracted from sources · hover to see the quote

filenamehlink.dll
commandAAAAAAAAAAAAAAAAAAAAAA\ (x500, written as Unicode hyperlink URL via write_url)
  • Trigger is a long Unicode hyperlink embedded in an Excel worksheet; look for XLS files containing abnormally long hyperlink URLs (e.g., repeated backslash-delimited segments ~500 iterations) targeting hlink.dll's HrShellOpenWithMonikerDisplayName function.
  • Monitor for crashes or faults originating from hlink.dll, specifically in the HrShellOpenWithMonikerDisplayName function, when processing hyperlinks from Office documents.
  • The PoC writes a URL of 500 repetitions of 'AAAAAAAAAAAAAAAAAAAAAA\' into cell (0,0) of an XLS file; inspect hyperlink record lengths in BIFF-format XLS files for oversized Unicode URL fields.
  • ·This is a PoC (Proof of Concept) demonstrating a crash/DoS; arbitrary code execution has not been confirmed in the PoC but is noted as possible in the CVE description.
  • ·CVE-2006-3086 is explicitly noted as a distinct issue from CVE-2006-3059, though both involve hyperlink handling in Excel.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.