CVE-2009-3671

HIGH

Microsoft Internet Explorer - Use After Free

Title source: rule

Description

Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3674.

References (4)

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1023293

[US Government Resource] http://www.us-cert.gov/cas/techalerts/TA09-342A.html

[Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6382

Scores

CVSS v3 8.1

EPSS 0.5649

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-399 CWE-416

Status draft

Affected Products (23)

microsoft/internet_explorer

microsoft/windows_2000

microsoft/internet_explorer

microsoft/windows_server_2003

microsoft/windows_xp

microsoft/internet_explorer

microsoft/windows_server_2008

... and 8 more

Timeline

Published Dec 09, 2009

Tracked Since Feb 18, 2026