CVE-1999-0153 in Windows
Summary
by MITRE
Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/16/2026
The vulnerability identified as CVE-1999-0153 represents a critical denial of service flaw affecting Microsoft Windows 95 and Windows NT operating systems through their NETBIOS implementation. This vulnerability operates through out of band data transmission mechanisms on the NETBIOS port, specifically targeting the Windows networking stack. The flaw was widely publicized under the moniker "WinNuke" due to its ability to crash Windows systems when exploited. The vulnerability stems from insufficient validation of incoming NETBIOS packets, particularly those containing out of band data that should be handled with extreme caution by network protocols. This issue affects systems running Windows 95 and Windows NT versions that utilize NETBIOS for network communication, making it particularly relevant to corporate networks and environments where these older operating systems were still in use during the late 1990s.
The technical implementation of this vulnerability exploits a specific flaw in how Windows systems process NETBIOS packets that contain out of band data. When a specially crafted packet is sent to the target system's NETBIOS port, the operating system fails to properly validate the packet structure and data content, leading to a buffer overflow or invalid memory access condition. This processing error causes the system to crash or become unresponsive, effectively denying service to legitimate users. The vulnerability operates at the network protocol level, specifically targeting the NETBIOS service implementation within Windows networking stacks. According to CWE standards, this represents a CWE-121: Stack-based Buffer Overflow and CWE-125: Out-of-bounds Read, both of which are fundamental security weaknesses in memory management and input validation. The exploit requires minimal network access and can be executed from remote locations, making it particularly dangerous for networked environments.
The operational impact of CVE-1999-0153 extends beyond simple system crashes to encompass broader network availability and business continuity concerns. Organizations running affected Windows 95 or NT systems would experience immediate service disruption when targeted by this exploit, potentially affecting critical business operations. The vulnerability's remote nature means that attackers could exploit it without physical access to the target systems, making it a significant threat to network security. In enterprise environments where Windows 95 or NT servers were still operational, this vulnerability could lead to cascading failures as system administrators worked to isolate and patch affected machines. The flaw's impact was particularly severe because it could be triggered by sending a single malformed packet, making it an extremely efficient denial of service mechanism that required minimal computational resources from the attacker. From an ATT&CK framework perspective, this vulnerability aligns with T1499.004: Endpoint Denial of Service and T1595.001: Network Denial of Service, representing both endpoint and network-level attack vectors that could be leveraged to compromise system availability.
Mitigation strategies for CVE-1999-0153 primarily involve network-level protection measures and system updates. Organizations should implement firewall rules to block incoming traffic on NETBIOS ports, specifically TCP ports 139 and 445, which are the primary targets of this exploit. Network administrators should consider disabling NETBIOS services entirely where they are not required, as this eliminates the attack surface entirely. Microsoft released patches for affected Windows 95 and NT systems that addressed the underlying buffer overflow conditions in the NETBIOS implementation. System administrators should ensure that all affected systems receive these security updates promptly, as the vulnerability was widely known and actively exploited in the wild during the late 1990s. Additionally, network monitoring solutions should be configured to detect and alert on unusual traffic patterns that might indicate exploitation attempts, particularly unusual packet structures targeting NETBIOS ports. The vulnerability also underscores the importance of maintaining up-to-date security patches and implementing network segmentation to limit the potential impact of such exploits across an organization's infrastructure.