CVE-2012-1876

Microsoft Internet Explorer 6-9 and 10 Consumer Preview - Remote Code Execution via Col Element Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 9 public exploits for CVE-2012-1876. PoCs published by ryujin & sickness, sickness, Metasploit, including Metasploit module exploits/windows/browser/ms12_037_ie_colspan.

AI-analyzed exploit summary This exploit leverages a heap spray and ROP chain to bypass DEP, ASLR, and EMET 5.1 protections in Internet Explorer 8 via CVE-2012-1876. It includes shellcode execution and specific techniques to disable EMET protections.

Description

Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access a nonexistent object, leading to a heap-based buffer overflow, aka "Col Element Remote Code Execution Vulnerability," as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012.

Exploits (9)

exploitdb WORKING POC VERIFIED
by ryujin & sickness · htmlremotewindows
https://www.exploit-db.com/exploits/35273

This exploit leverages a heap spray and ROP chain to bypass DEP, ASLR, and EMET 5.1 protections in Internet Explorer 8 via CVE-2012-1876. It includes shellcode execution and specific techniques to disable EMET protections.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Internet Explorer 8
No auth needed
Prerequisites: Internet Explorer 8 on Windows 7 (x86) · EMET 5.1 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by ryujin & sickness · htmlremotewindows
https://www.exploit-db.com/exploits/34815

This exploit leverages a heap spray technique combined with ROP chains to bypass DEP, ASLR, and EMET 5.0 in Internet Explorer 8. It targets CVE-2012-1876, a Fixed Col Span ID vulnerability, to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Internet Explorer 8.0.7601.17514
No auth needed
Prerequisites: Victim must visit a malicious webpage · Internet Explorer 8 with EMET 5.0 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by sickness · htmlremotewindows
https://www.exploit-db.com/exploits/33944

This exploit leverages a use-after-free vulnerability in Internet Explorer 8 (CVE-2012-1876) to achieve remote code execution by bypassing ASLR, DEP, and EMET 4.1.X. It employs heap spraying and ROP chains to disable EMET protections and execute shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Internet Explorer 8.0.7601.17514
No auth needed
Prerequisites: Victim must visit a malicious webpage · Internet Explorer 8 with EMET 4.1.X on Windows 7
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by sickness · htmlremotewindows
https://www.exploit-db.com/exploits/24017

This exploit leverages a heap overflow vulnerability in Internet Explorer 8 (CVE-2012-1876) to bypass ASLR and DEP, achieving remote code execution via a crafted HTML page with heap spraying and ROP chains.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Internet Explorer 8 (8.0.7601.17514)
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer 8 · JavaScript must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/20174

This Metasploit module exploits a heap overflow vulnerability in Internet Explorer 8 by manipulating the span attribute of col elements in a fixed table via JavaScript, leading to remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer 8 on Windows XP SP3 or Windows 7 SP1
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer 8
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by WizardVan · poc
https://github.com/WizardVan/CVE-2012-1876

The repository contains only a README.md file with minimal information about CVE-2012-1876, mentioning a 'simple calc exploitation' without any actual exploit code or technical details.

Classification
Stub 10%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Alexandre Pelletier · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms12_037_ie_colspan.rb

This Metasploit module exploits a heap overflow vulnerability in Internet Explorer (CVE-2012-1876) by manipulating the 'span' attribute of 'col' elements in a fixed table via JavaScript, leading to remote code execution. It includes ROP chains for different Windows versions and uses heap spraying to achieve reliable exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer 8 on Windows XP SP3 or Windows 7 SP1
No auth needed
Prerequisites: Victim must visit a malicious webpage · JavaScript must be enabled in the target browser
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory x_refsource_misc
http://pwn2own.zerodayinitiative.com/status.html
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA12-164A.html
Various Sources x_refsource_misc
http://twitter.com/vupen/statuses/177895844828291073
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15539

Scores

EPSS 0.6496
EPSS Percentile 99.1%

Details

CWE
CWE-94
Status published
Products (4)
microsoft/internet_explorer 6
microsoft/internet_explorer 7
microsoft/internet_explorer 8
microsoft/internet_explorer 9
Published Jun 12, 2012
Tracked Since Feb 18, 2026