CVE-2008-3014
CVE-2008-3014 is a critical-severity vulnerability in Microsoft Digital Image Suite with a CVSS 2.0 base score of 9.3. Its EPSS exploit-prediction score of 37% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-119.
Key facts
- Severity: Critical (CVSS 2.0 base score 9.3)
- EPSS exploit prediction: 37% (98th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-119
- Affected product: Microsoft Digital Image Suite
- Published:
- Last modified:
Description
Buffer overflow in gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a malformed WMF image file that triggers improper memory allocation, aka "GDI+ WMF Buffer Overrun Vulnerability."
Frequently asked questions
- What is CVE-2008-3014?
- Buffer overflow in gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a malformed WMF image file that triggers improper memory allocation, aka "GDI+ WMF Buffer Overrun Vulnerability."
- How severe is CVE-2008-3014?
- CVE-2008-3014 has a CVSS 2.0 base score of 9.3, rated critical severity.
- Is CVE-2008-3014 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 37% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2008-3014?
- CVE-2008-3014 primarily affects Microsoft Digital Image Suite. In total, 22 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2008-3014?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2008-3014 published?
- CVE-2008-3014 was published on 2008-09-11 and last updated on 2026-06-16.
References
- http://marc.info/?l=bugtraq&m=122235754013992&w=2
- http://secunia.com/advisories/32154
- http://www.securityfocus.com/bid/31021
- http://www.securitytracker.com/id?1020837
- http://www.us-cert.gov/cas/techalerts/TA08-253A.html
- http://www.vupen.com/english/advisories/2008/2520
- http://www.vupen.com/english/advisories/2008/2696
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-052
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6004
Affected products (22)
- cpe:2.3:a:microsoft:digital_image_suite:2006:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:forefront_client_security:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2003:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2007:*:gold:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2007:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:xp:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_powerpoint_viewer:2003:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:report_viewer:2005:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:report_viewer:2008:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:server:2008:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server:2005:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server_reporting_services:2000:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visio:2002:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:works:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:server:2003:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:server:2003:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows-nt:vista:*:gold:*:*:*:*:*
- cpe:2.3:o:microsoft:windows-nt:xp:sp3:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:*:*:*:*
More vulnerabilities in Microsoft Digital Image Suite
- CVE-2008-3015 — Critical (CVSS 9.3): Integer overflow in gdiplus.dll in GDI+ in Microsoft Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office…
- CVE-2008-3013 — Critical (CVSS 9.3): gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold…
- CVE-2008-3012 — Critical (CVSS 9.3): gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold…
- CVE-2007-5348 — Critical (CVSS 9.3): Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista…
- CVE-2004-0200 — Critical (CVSS 9.3): Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component,…
All CVEs affecting Microsoft Digital Image Suite →
Other CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) vulnerabilities
- CVE-2026-2778 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in…
- CVE-2026-2776 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability…
- CVE-2025-1866 — Critical (CVSS 10.0): Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in warmcat libwebsockets allows…
- CVE-2022-27625 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2022-27624 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2020-11896 — Critical (CVSS 10.0): The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.