CVE-2008-3704

Exp

Heap-based buffer overflow in the MaskedEdit ActiveX control in Msmask32.ocx 6.0.81.69, and possibly other versions before 6.0.84.18, in Microsoft Visual Studio 6.0, Visual Basic 6.0, Visual Studio .NET 2002 SP1 and 2003 SP1, and Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2 allows remote attackers to execute arbitrary code via a long Mask parameter, related to not "validating property values with boundary checks," as exploited in the wild in August 2008, aka "Masked Edit Control Memory Corruption Vulnerability."

Published: 2008-08-18 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-3704 is rated High Exploit Risk (86.6/100): CVSS Critical severity, with high exploitation likelihood (EPSS 55.92%, 99th percentile). 4 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2008-3704

EDB-ID Source Kind Published Link
16507 exploit_db edb 2010-11-24 Exploit-DB ↗
6317 exploit_db edb 2008-08-26 Exploit-DB ↗
6244 exploit_db edb 2008-08-14 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2008-3704

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-17 56.18% 55.92% -0.26%
2 2026-06-15 87.47% 56.18% -31.30%
3 2025-08-28 87.47%

Full EPSS history (23 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-3704

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.3 2.0 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 8.6 10.0 [email protected]

Weakness enumeration for CVE-2008-3704

NVD evaluator notes for CVE-2008-3704

Comment: Additional advisory information from Secunia: http://secunia.com/advisories/31498/

Solution: "Visual Studio 6 was last updated June 2000, a Microsoft spokeswoman told SCMagazineUS.com. The version is no longer supported. Visual Studio 2008 is the latest release and microsoft encourages users to update to the newest version." Source: http://www.scmagazineus.com/Microsoft-looks-into-Visual-Studio-bug/article/115459/

Affected software / configurations for CVE-2008-3704

Vendor Product Version Raw CPE
microsoft visual_basic 6.0 cpe:2.3:a:microsoft:visual_basic:6.0:*:*:*:*:*:*:*
microsoft visual_foxpro 8.0 cpe:2.3:a:microsoft:visual_foxpro:8.0:sp1:*:*:*:*:*:*
microsoft visual_foxpro 9.0 cpe:2.3:a:microsoft:visual_foxpro:9.0:sp1:*:*:*:*:*:*
microsoft visual_foxpro 9.0 cpe:2.3:a:microsoft:visual_foxpro:9.0:sp2:*:*:*:*:*:*
microsoft visual_studio 6.0 cpe:2.3:a:microsoft:visual_studio:6.0:*:*:*:*:*:*:*
microsoft visual_studio_.net 2002 cpe:2.3:a:microsoft:visual_studio_.net:2002:sp1:*:*:*:*:*:*
microsoft visual_studio_.net 2003 cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1:*:*:*:*:*:*

References for CVE-2008-3704

cvelogic Threat Intelligence