CVE-2008-5358
Description
Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier might allow remote attackers to execute arbitrary code via a crafted GIF file that triggers memory corruption during display of the splash screen, possibly related to splashscreen.dll.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted GIF file triggers memory corruption in the Java Runtime Environment splash screen, enabling remote code execution.
Vulnerability
CVE-2008-5358 is a memory corruption vulnerability in the Java Runtime Environment (JRE) splash screen component, specifically in splashscreen.dll. The issue occurs when a specially crafted GIF file is processed during the display of the splash screen. Affected versions include Sun JDK and JRE 6 Update 10 and earlier [1][2][4]. This vulnerability also impacts HP-UX systems running HP JDK and JRE 6.0.02 or earlier, HP OpenView Network Node Manager (OV NNM) v7.51 and v7.53, and Avaya Call Management System (CMS) and Interactive Response (IR) products [1][2][4].
Exploitation
An attacker can exploit this vulnerability by delivering a malicious GIF file to a victim, typically via a web page, email attachment, or other means that causes the JRE to load the image. No authentication is required, and the attack can be launched remotely. When the victim's JRE displays the splash screen (e.g., during application startup), the crafted GIF triggers memory corruption in splashscreen.dll, leading to arbitrary code execution [1][2][4].
Impact
Successful exploitation allows a remote attacker to execute arbitrary code with the privileges of the user running the JRE. This can result in full system compromise, including unauthorized access, privilege escalation, and denial of service [1][2][4]. The CVSS base score for related vulnerabilities is 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) [2].
Mitigation
Sun Microsystems addressed this vulnerability in Java SE 6 Update 11 and later releases (not explicitly stated but implied by the affected version range). For HP-UX, HP recommends upgrading to HP JDK and JRE 6.0.03 or later [1]. For HP OpenView NNM, apply the appropriate patches as specified in HP security bulletin HPSBMA02486 [2]. Avaya advises restricting local and network access to affected systems and following their Product Security Vulnerability Response Policy [4]. No workaround is available if patches cannot be applied. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21cpe:2.3:a:sun:jdk:6:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:sun:jdk:6:*:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:*:update_10:*:*:*:*:*:*range: <=6
cpe:2.3:a:sun:jre:6:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:sun:jre:6:*:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:*:update_10:*:*:*:*:*:*range: <=6
- Range: <= 6 Update 10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
29- sunsolve.sun.com/search/document.donvdPatchVendor Advisory
- www.us-cert.gov/cas/techalerts/TA08-340A.htmlnvdUS Government Resource
- labs.idefense.com/intelligence/vulnerabilities/display.phpnvd
- lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2009-04/msg00004.htmlnvd
- marc.infonvd
- marc.infonvd
- osvdb.org/50515nvd
- rhn.redhat.com/errata/RHSA-2008-1018.htmlnvd
- secunia.com/advisories/32991nvd
- secunia.com/advisories/33015nvd
- secunia.com/advisories/33187nvd
- secunia.com/advisories/33709nvd
- secunia.com/advisories/34233nvd
- secunia.com/advisories/34259nvd
- secunia.com/advisories/34447nvd
- secunia.com/advisories/34605nvd
- secunia.com/advisories/37386nvd
- secunia.com/advisories/38539nvd
- security.gentoo.org/glsa/glsa-200911-02.xmlnvd
- support.avaya.com/elmodocs2/security/ASA-2008-485.htmnvd
- support.nortel.com/go/main.jspnvd
- www.redhat.com/support/errata/RHSA-2009-0369.htmlnvd
- www.securityfocus.com/bid/32608nvd
- www.vupen.com/english/advisories/2008/3339nvd
- www.vupen.com/english/advisories/2009/0672nvd
- www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/03/024431-01.pdfnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/47049nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6319nvd
News mentions
0No linked articles in our index yet.