CVE-2008-3465

high-risk

Published 2008-12-10

Heap-based buffer overflow in an API in GDI in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows context-dependent attackers to cause a denial of service or execute arbitrary code via a WMF file with a malformed file-size parameter, which would not be properly handled by a third-party application that uses this API for a copy operation, aka "GDI Heap Overflow Vulnerability."

Do I need to act?

45.8% chance of exploitation in next 30 days

EPSS score — higher than 54% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (17)

Windows 2003 Server

Windows Server 2003

Windows Vista

Windows Xp

Windows 2000

Windows 2003 Server

Windows Server 2003

Windows Server 2008

Windows Vista

Windows Xp

Affected Vendors

Microsoft

References (10)

http://www.securitytracker.com/id?1021365

US Government Resource http://www.us-cert.gov/cas/techalerts/TA08-344A.html

http://www.vupen.com/english/advisories/2008/3383

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-07...

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3...

http://www.securitytracker.com/id?1021365

US Government Resource http://www.us-cert.gov/cas/techalerts/TA08-344A.html

http://www.vupen.com/english/advisories/2008/3383

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-07...

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 17/34 · Moderate

Exposure 19/34 · Moderate