CVE-1999-1157 in Windows
Summary
by MITRE
Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service via an ICMP Subnet Mask Address Request packet, when certain multiple IP addresses are bound to the same network interface.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/20/2026
The vulnerability described in CVE-1999-1157 represents a critical denial of service weakness within the Windows NT 4.0 operating system's tcpip.sys kernel driver. This flaw specifically affects systems running Windows NT 4.0 prior to Service Pack 4, where the network protocol stack fails to properly handle certain ICMP Subnet Mask Address Request packets. The vulnerability operates through a specific condition where multiple IP addresses are configured on the same network interface, creating a scenario that triggers a system crash or reboot when processed by the affected kernel component.
The technical mechanism behind this vulnerability involves the improper handling of ICMP packets within the tcpip.sys driver, which is responsible for managing TCP/IP networking functions at the kernel level. When a malicious attacker sends an ICMP Subnet Mask Address Request packet to a vulnerable system, the driver fails to validate or properly process the packet structure, particularly when multiple IP addresses are bound to a single network interface. This processing error leads to a kernel-level memory corruption or execution flow disruption that results in system instability. The vulnerability is classified under CWE-121 as a buffer overflow condition, though specifically manifested through improper input validation rather than traditional buffer manipulation.
The operational impact of this vulnerability extends beyond simple service interruption as it can cause complete system downtime across affected Windows NT 4.0 installations. Network administrators and security professionals must recognize that this vulnerability can be exploited remotely without authentication, making it particularly dangerous in networked environments. Systems utilizing multiple IP addresses on single interfaces, which is common in enterprise environments for redundancy and load balancing purposes, become prime targets for exploitation. The attack vector specifically leverages the ICMP protocol which is fundamental to network operations, making detection difficult as legitimate network traffic may be indistinguishable from malicious packets.
This vulnerability aligns with ATT&CK technique T1499.004 for network denial of service attacks and demonstrates how kernel-level flaws can be exploited for system-wide disruption. The exploitation requires minimal technical expertise and can be automated, making it attractive to threat actors seeking to disrupt services. Organizations running Windows NT 4.0 systems without Service Pack 4 should consider this vulnerability as a high-priority risk, particularly in environments where network availability is critical. The recommended mitigation strategy involves applying Microsoft's Service Pack 4 update which includes patches to the tcpip.sys driver that properly handle the ICMP Subnet Mask Address Request packets. Additionally, network segmentation and firewall rules can be implemented to restrict ICMP traffic where possible, though this approach may impact legitimate network functions and should be carefully considered in enterprise environments.