CVE-2000-0305 in Windows
Summary
by MITRE
Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Server systems allow a remote attacker to cause a denial of service by sending a large number of identical fragmented IP packets, aka jolt2 or the "IP Fragment Reassembly" vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/16/2025
The vulnerability described in CVE-2000-0305 represents a critical denial of service flaw affecting multiple Microsoft Windows operating systems including Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Server implementations. This vulnerability operates through a specific weakness in the Internet Protocol fragment reassembly mechanism that is fundamental to network communication protocols. The flaw enables attackers to exploit the way these systems handle fragmented IP packets, creating a condition that can render network services unavailable to legitimate users.
The technical implementation of this vulnerability stems from improper handling of IP packet fragmentation within the Windows TCP/IP stack. When the operating system receives a large number of identical fragmented IP packets, it attempts to reassemble them in memory, but the process becomes inefficient and resource-intensive. The vulnerability specifically targets the IP fragment reassembly algorithm that processes incoming packets, where identical fragments are repeatedly processed without proper deduplication mechanisms. This creates a scenario where system resources become consumed rapidly, leading to system instability and eventual denial of service conditions. The attack pattern involves sending multiple fragments with the same identification number, causing the target system to continuously process and reassemble these packets, ultimately exhausting available memory or processing capacity.
The operational impact of CVE-2000-0305 extends beyond simple service disruption to potentially compromise entire network infrastructures. Systems affected by this vulnerability can experience complete network connectivity loss, application failures, and system crashes that require manual intervention to restore normal operations. Network administrators may observe unusual system behavior including high CPU utilization, memory exhaustion, and network interface degradation. The vulnerability is particularly dangerous because it can be exploited remotely without requiring authentication, making it an attractive vector for attackers seeking to disrupt services. This weakness directly maps to CWE-129, which describes improper handling of fragment reassembly in network protocols, and aligns with ATT&CK technique T1498, which covers network denial of service attacks that target system resources.
Mitigation strategies for this vulnerability require immediate implementation of network-level protections and system updates. Organizations should deploy firewall rules that limit the number of identical fragments allowed through network boundaries, effectively preventing the attack from reaching vulnerable systems. Network administrators should also implement rate limiting mechanisms to control fragment processing rates and consider disabling unnecessary network services that may expose systems to this attack vector. Microsoft released patches for affected Windows versions that addressed the underlying TCP/IP stack implementation issues, though many systems remained vulnerable due to delayed patch deployment. The vulnerability highlights the importance of proper network protocol implementation and demonstrates how seemingly minor flaws in core networking components can lead to catastrophic system failures. Security teams should also implement monitoring solutions that can detect unusual fragmentation patterns and alert administrators to potential exploitation attempts, as this vulnerability can be used as part of broader attack campaigns targeting network availability.