CVE-2006-4868

EXPLOITED

Microsoft Outlook & IE 6.0 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2006-4868 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, Trirat Puttaraksa, jamikazu, including a Metasploit module exploits/windows/browser/ms06_055_vml_method.

AI-analyzed exploit summary This exploit targets a buffer overflow in Microsoft Internet Explorer's VML processing (VGX.dll) via a maliciously crafted HTML page. It leverages a heap spray technique to achieve remote code execution on vulnerable systems.

Description

Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16597

This exploit targets a buffer overflow in Microsoft Internet Explorer's VML processing (VGX.dll) via a maliciously crafted HTML page. It leverages a heap spray technique to achieve remote code execution on vulnerable systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer (Windows NT 4.0 to Windows 2003 SP1)
No auth needed
Prerequisites: Vulnerable version of Internet Explorer · Target visits a malicious webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Trirat Puttaraksa · perlremotewindows
https://www.exploit-db.com/exploits/2426

This exploit targets a stack-based buffer overflow in Microsoft Internet Explorer's VML (Vector Markup Language) rendering engine via heap spraying. It uses a Metasploit-derived shellcode to achieve remote code execution on vulnerable Windows systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 6 (Windows XP SP0/SP1/SP2, Windows 2000 SP4)
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by jamikazu · htmlremotewindows
https://www.exploit-db.com/exploits/2425

This exploit leverages a buffer overflow vulnerability in Microsoft Internet Explorer's VML (Vector Markup Language) rendering engine. It uses heap spraying to achieve reliable code execution, ultimately invoking calc.exe as a proof of concept.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer (all versions including XP SP2)
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms06_055_vml_method.rb

This Metasploit module exploits a buffer overflow in Microsoft Internet Explorer's VML processing (VGX.dll) via a crafted HTML page. It triggers a heap-based overflow in the 'fill method' attribute of VML elements, leading to arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer (Windows 2000 SP4, Windows XP SP0/SP2)
No auth needed
Prerequisites: Victim must visit a malicious webpage · Target system must have vulnerable VGX.dll
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (21)

Core 21
Core References
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20096
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3679
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/416092
Patch, Vendor Advisory x_refsource_confirm
http://www.microsoft.com/technet/security/advisory/925568.mspx
Vendor Advisory vendor-advisory x_refsource_mskb
http://support.microsoft.com/kb/925486
Patch, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-262A.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/28946
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100
Various Sources x_refsource_misc
http://blogs.securiteam.com/index.php/archives/624
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/446881/100/200/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/446523/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/446505/100/0/threaded
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21989
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/448552/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/446528/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016879
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447070/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/446378/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29004

Scores

EPSS 0.6844
EPSS Percentile 98.6%

Details

VulnCheck KEV 2006-09-26
CWE
CWE-119
Status published
Products (3)
microsoft/internet_explorer 6.0
microsoft/internet_explorer 5.0.1 sp4
microsoft/outlook 2003
Published Sep 19, 2006
Tracked Since Feb 18, 2026