CVE-2008-4844

EXPLOITED IN THE WILD

Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 - Use-After-Free via DSO Bindings

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2008-4844 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Metasploit, Jeremy Brown, krafty, including a Metasploit module exploits/windows/browser/ms08_078_xml_corruption.

AI-analyzed exploit summary This Metasploit module exploits a memory corruption vulnerability in Internet Explorer's data binding feature (CVE-2008-4844) using a .NET DLL memory technique to achieve remote code execution.

Description

Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16583

This Metasploit module exploits a memory corruption vulnerability in Internet Explorer's data binding feature (CVE-2008-4844) using a .NET DLL memory technique to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer 7
No auth needed
Prerequisites: Victim must visit a malicious webpage · Internet Explorer 7 must be used
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Jeremy Brown · perlremotewindows
https://www.exploit-db.com/exploits/7583

This Perl script generates an HTML file exploiting a buffer overflow in Microsoft Internet Explorer on Vista via malformed XML handling. It includes shellcode for a reverse shell connection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 7 on Windows Vista SP1
No auth needed
Prerequisites: Target must be running Internet Explorer 7 on Windows Vista SP1 · Attacker must host the generated HTML file and convince the victim to visit the URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by krafty · htmlremotewindows
https://www.exploit-db.com/exploits/7477

This exploit leverages a heap corruption vulnerability in Internet Explorer (CVE-2008-4844) via malformed XML data. It uses a heap spray technique to achieve reliable code execution, demonstrated by launching the calculator (calc.exe).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Internet Explorer 7 on Windows XP SP2/SP3 and Vista
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Guido Landi · textremotewindows
https://www.exploit-db.com/exploits/7403

This exploit targets a vulnerability in Internet Explorer 7 on Windows XP SP3, using a Metasploit-generated shellcode to execute arbitrary commands (e.g., launching calc.exe). The exploit is packaged in a compressed file, indicating a functional proof-of-concept.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 7.0.5730.13 on Windows XP SP3
No auth needed
Prerequisites: Victim must visit a malicious webpage or open a crafted file · Target system must be running vulnerable IE version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by muts · htmlremotewindows
https://www.exploit-db.com/exploits/7410

This exploit leverages a heap spray technique to trigger a remote code execution vulnerability in Microsoft Internet Explorer 7 on Windows Vista. The exploit uses a malformed XML parsing mechanism to achieve arbitrary code execution via a crafted iframe and shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 7.0.6001.18000 and 7.0.6000.16386 on Windows Vista
No auth needed
Prerequisites: Victim must visit a malicious webpage · Target must be using vulnerable versions of Internet Explorer 7 on Windows Vista
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms08_078_xml_corruption.rb

This Metasploit module exploits a memory corruption vulnerability in Internet Explorer's data binding feature (CVE-2008-4844) by leveraging a .NET DLL memory technique to achieve remote code execution. It uses a combination of heap spraying and vtable manipulation to execute arbitrary payloads on vulnerable systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer 7.0
No auth needed
Prerequisites: Victim must visit a malicious webpage · Internet Explorer 7.0 must be in use
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (21)

Core 21
Core References
Various Sources x_refsource_misc
http://www.scanw.com/blog/archives/303
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1021381
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7583
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-352A.html
Issue Tracking x_refsource_misc
http://code.google.com/p/inception-h2hc/
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/493881
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6007
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32721
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7477
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=123015308222620&w=2
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3391
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7403
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-344A.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7410
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33089

Scores

EPSS 0.8285
EPSS Percentile 99.3%

Details

VulnCheck KEV 2008-12-11
InTheWild.io 2018-10-12
CWE
CWE-399
Status published
Products (3)
microsoft/internet_explorer 5.01
microsoft/internet_explorer 6 (2 CPE variants)
microsoft/internet_explorer 7
Published Dec 11, 2008
Tracked Since Feb 18, 2026