CVE-2010-3886

Internet Explorer - Exposure of Sensitive Information via Timer ID Heap Address Leak

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-3886. PoCs published by Ruben Santamarta.

AI-analyzed exploit summary This exploit demonstrates a pointer leak vulnerability in mshtml.dll via the CTimeoutEventList::InsertIntoTimeoutList function. It uses JavaScript to manipulate timer IDs and leak memory addresses, which could aid in further exploitation.

Description

The CTimeoutEventList::InsertIntoTimeoutList function in Microsoft mshtml.dll uses a certain pointer value as part of producing Timer ID values for the setTimeout and setInterval methods in VBScript and JScript, which allows remote attackers to obtain sensitive information about the heap memory addresses used by an application, as demonstrated by the Internet Explorer 8 application.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Ruben Santamarta · htmldoswindows
https://www.exploit-db.com/exploits/14295

This exploit demonstrates a pointer leak vulnerability in mshtml.dll via the CTimeoutEventList::InsertIntoTimeoutList function. It uses JavaScript to manipulate timer IDs and leak memory addresses, which could aid in further exploitation.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Internet Explorer (mshtml.dll)
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Broken Link, Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2010-06/0259.html
Third Party Advisory x_refsource_misc
http://twitter.com/WisecWisec/statuses/17254776077

Scores

EPSS 0.1680
EPSS Percentile 96.6%

Details

CWE
CWE-200
Status published
Products (1)
microsoft/internet_explorer 8
Published Oct 08, 2010
Tracked Since Feb 18, 2026