CVE-2010-3962

HIGH KEV

Microsoft Internet Explorer 6, 7, and 8 - Use-After-Free via CSS Clip Attribute

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2010-3962 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 6, 2025. EIP tracks 4 public exploits from researchers including Metasploit, ryujin, anonymous, including a Metasploit module exploits/windows/browser/ms10_090_ie_css_clip.

AI-analyzed exploit summary This Metasploit module exploits a memory corruption vulnerability in Microsoft's HTML engine (mshtml) via a crafted CSS tag, leading to arbitrary code execution. It uses heap spraying to achieve reliable exploitation.

Description

Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Cascading Style Sheets (CSS) token sequences and the clip attribute, aka an "invalid flag reference" issue or "Uninitialized Memory Corruption Vulnerability," as exploited in the wild in November 2010.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16551

This Metasploit module exploits a memory corruption vulnerability in Microsoft's HTML engine (mshtml) via a crafted CSS tag, leading to arbitrary code execution. It uses heap spraying to achieve reliable exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Internet Explorer 6.0, 7.0
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by ryujin · htmlremotewindows
https://www.exploit-db.com/exploits/15421

This is a proof-of-concept exploit for CVE-2010-3962, targeting a memory corruption vulnerability in Internet Explorer (IE6, IE7, IE8). It uses heap spraying and shellcode to achieve remote code execution, though it lacks DEP/ASLR bypass mechanisms.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Internet Explorer 6/7/8 on Windows XP SP2/SP3
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by anonymous · htmldoswindows
https://www.exploit-db.com/exploits/15418

This exploit leverages a CSS clip property vulnerability in Internet Explorer to trigger a use-after-free condition, leading to remote code execution. The minimal HTML snippet is designed to exploit CVE-2010-3962 by manipulating the clip property in a way that corrupts memory.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Internet Explorer 6/7/8
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by unknown, Yuange, Matteo Memelli, jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb

This Metasploit module exploits a memory corruption vulnerability in Microsoft Internet Explorer (CVE-2010-3962) via a crafted CSS tag, leading to arbitrary code execution. It uses heap spraying to achieve reliable exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 6/7
No auth needed
Prerequisites: Victim must visit a malicious webpage · Target must be using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/44536
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-348A.html
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-090
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/899748
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42091
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2880
Patch, Vendor Advisory x_refsource_confirm
http://www.microsoft.com/technet/security/advisory/2458511.mspx
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024676
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/15421
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/62962
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/15418

Scores

CVSS v3 8.1
EPSS 0.8968
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-10-06
VulnCheck KEV 2010-11-05
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2010-3939
CWE
CWE-416
Status published
Products (3)
microsoft/internet_explorer 6
microsoft/internet_explorer 7
microsoft/internet_explorer 8
Published Nov 05, 2010
KEV Added Oct 06, 2025
Tracked Since Feb 18, 2026