cbcvebase.
CVE-2011-0654
published 2011-02-16

CVE-2011-0654: Integer underflow in the BowserWriteErrorLogEntry function in the Common Internet File System (CIFS) browser service in Mrxsmb.sys or bowser.sys in Active…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.08%
99.2th percentile
Integer underflow in the BowserWriteErrorLogEntry function in the Common Internet File System (CIFS) browser service in Mrxsmb.sys or bowser.sys in Active Directory in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a malformed BROWSER ELECTION message, leading to a heap-based buffer overflow, aka "Browser Pool Corruption Vulnerability." NOTE: some of these details are obtained from third party information.

Detection & IOCsextracted from sources · hover to see the quote

port138/UDP
path\MAILSLOT\BROWSER
path\MAILSLOT\BROWSE
filenameMrxsmb.sys
filenamebowser.sys
commandBROWSER ELECTION message (SMB opcode 0x25, browser command 0x08)
bytes
ff 53 4d 42
  • Detect malformed BROWSER ELECTION messages sent over UDP port 138 to the \MAILSLOT\BROWSER named pipe; the exploit sends a crafted election packet with an oversized source name (~60–410 'A' bytes) triggering an integer underflow in BowserWriteErrorLogEntry.
  • Monitor for integer underflow condition in kernel pool: the resulting memcpy length is fixed at -2 (0xFFFFFFFE), causing large kernel heap corruption — look for unexpected kernel pool corruption crash dumps (BSODs) on Windows Server 2003 DCs.
  • Alert on SMB datagram (UDP/138) traffic containing the SMB command byte 0x25 (Trans) directed at the MAILSLOT\BROWSER pipe with anomalously large payload lengths, particularly from non-domain-member hosts.
  • Focus detection on Windows Server 2003 domain controllers; the vulnerability is specifically triggered in the CIFS browser service when the host is configured as a domain controller.
  • The exploit is broadcast-capable (SO_BROADCAST socket option set); monitor for UDP/138 broadcast traffic containing BROWSER ELECTION frames with unusually long source name fields as a network-level detection.
  • ·Remote code execution is considered unlikely; the vulnerability is most practically exploitable as a local or broadcast-context DoS. The integer underflow produces a fixed memcpy length of 0xFFFFFFFE, making controlled exploitation extremely difficult.
  • ·The exploit is effective in broadcast and pre-authentication context, meaning no credentials are required and the attacker only needs network adjacency (broadcast domain) to trigger the vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.