CERT, the US government-backed institute that monitors Internet security, said the vulnerability existed in a function used by the common desktop environment (CDE) sub-process control service, which is responsible for accepting requests from clients to execute commands and open applications remotely.
Because of an error in the way requests from remote clients are validated, crackers could manipulate data and cause a buffer overflow.
The CDE is an integrated graphical user interface that runs on Unix and Linux systems. The affected software includes several versions of Hewlett-Packard's HP-UX, IBM's AIX, Sun Microsystems' Solaris and Compaq's Tru64 Unix systems.
Patches to address the problem are available from some of the vendors, according to CERT.
But until patches are more widely available, the group has advised users to mitigate their exposure to the vulnerability by limiting or blocking access to the sub-process control service from untrusted networks.