Windows Server 2008
by Microsoft
CVEs (2,628)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-0550 | 0.01 | — | 0.12 | Apr 15, 2009 | Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and… | |||
| CVE-2009-0086 | 0.01 | — | 0.14 | Apr 15, 2009 | Integer underflow in Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote HTTP servers to execute arbitrary code via crafted parameter values in a response, related to error… | |||
| CVE-2009-0093 | 0.01 | — | 0.17 | Mar 11, 2009 | Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008, when dynamic updates are enabled, does not restrict registration of the "wpad" hostname, which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) feature, and… | |||
| CVE-2009-0085 | 0.01 | — | 0.15 | Mar 10, 2009 | The Secure Channel (aka SChannel) authentication component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008, when certificate authentication is used, does not properly validate the client's key exchange data in Transport… | |||
| CVE-2009-0243 | 0.01 | — | 0.06 | Jan 21, 2009 | Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code by (1) inserting CD-ROM media, (2) inserting DVD media, (3) connecting a USB device, and (4) connecting a… | |||
| CVE-2026-20936 | 0.00 | — | 0.00 | Jan 13, 2026 | Out-of-bounds read in Windows NDIS allows an authorized attacker to disclose information with a physical attack. | |||
| CVE-2026-20929 | 0.00 | — | 0.01 | Jan 13, 2026 | Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network. | |||
| CVE-2026-20872 | 0.00 | — | 0.19 | Jan 13, 2026 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-20868 | 0.00 | — | 0.01 | Jan 13, 2026 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | |||
| CVE-2026-20849 | 0.00 | — | 0.01 | Jan 13, 2026 | Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network. | |||
| CVE-2026-20843 | 0.00 | — | 0.03 | Jan 13, 2026 | Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-20940 | 0.00 | — | 0.00 | Jan 13, 2026 | Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-20927 | 0.00 | — | 0.01 | Jan 13, 2026 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network. | |||
| CVE-2026-20925 | 0.00 | — | 0.17 | Jan 13, 2026 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-20922 | 0.00 | — | 0.01 | Jan 13, 2026 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. | |||
| CVE-2026-20875 | 0.00 | — | 0.02 | Jan 13, 2026 | Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network. | |||
| CVE-2026-20869 | 0.00 | — | 0.00 | Jan 13, 2026 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-20860 | 0.00 | — | 0.08 | Jan 13, 2026 | Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-20847 | 0.00 | — | 0.01 | Jan 13, 2026 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to perform spoofing over a network. | |||
| CVE-2026-20840 | 0.00 | — | 0.02 | Jan 13, 2026 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. |
- CVE-2009-0550Apr 15, 2009risk 0.01cvss —epss 0.12
Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and…
- CVE-2009-0086Apr 15, 2009risk 0.01cvss —epss 0.14
Integer underflow in Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote HTTP servers to execute arbitrary code via crafted parameter values in a response, related to error…
- CVE-2009-0093Mar 11, 2009risk 0.01cvss —epss 0.17
Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008, when dynamic updates are enabled, does not restrict registration of the "wpad" hostname, which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) feature, and…
- CVE-2009-0085Mar 10, 2009risk 0.01cvss —epss 0.15
The Secure Channel (aka SChannel) authentication component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008, when certificate authentication is used, does not properly validate the client's key exchange data in Transport…
- CVE-2009-0243Jan 21, 2009risk 0.01cvss —epss 0.06
Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code by (1) inserting CD-ROM media, (2) inserting DVD media, (3) connecting a USB device, and (4) connecting a…
- CVE-2026-20936Jan 13, 2026risk 0.00cvss —epss 0.00
Out-of-bounds read in Windows NDIS allows an authorized attacker to disclose information with a physical attack.
- CVE-2026-20929Jan 13, 2026risk 0.00cvss —epss 0.01
Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.
- CVE-2026-20872Jan 13, 2026risk 0.00cvss —epss 0.19
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-20868Jan 13, 2026risk 0.00cvss —epss 0.01
Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.
- CVE-2026-20849Jan 13, 2026risk 0.00cvss —epss 0.01
Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network.
- CVE-2026-20843Jan 13, 2026risk 0.00cvss —epss 0.03
Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.
- CVE-2026-20940Jan 13, 2026risk 0.00cvss —epss 0.00
Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
- CVE-2026-20927Jan 13, 2026risk 0.00cvss —epss 0.01
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network.
- CVE-2026-20925Jan 13, 2026risk 0.00cvss —epss 0.17
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-20922Jan 13, 2026risk 0.00cvss —epss 0.01
Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.
- CVE-2026-20875Jan 13, 2026risk 0.00cvss —epss 0.02
Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.
- CVE-2026-20869Jan 13, 2026risk 0.00cvss —epss 0.00
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally.
- CVE-2026-20860Jan 13, 2026risk 0.00cvss —epss 0.08
Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
- CVE-2026-20847Jan 13, 2026risk 0.00cvss —epss 0.01
Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to perform spoofing over a network.
- CVE-2026-20840Jan 13, 2026risk 0.00cvss —epss 0.02
Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.
Page 93 of 132