CVE-2017-0037

HIGH KEV

Microsoft Edge and Internet Explorer 10-11 - Remote Code Execution via CSS Token Sequence Type Confusion

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-0037 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022. EIP tracks 4 public exploits from researchers including mschenk, Google Security Research, redr2e.

AI-analyzed exploit summary This exploit leverages a memory corruption vulnerability in Internet Explorer (CVE-2017-0059) to achieve remote code execution. It uses heap spraying, ROP chains, and shellcode execution to bypass DEP and execute arbitrary code (e.g., calc.exe).

Description

Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.

Exploits (4)

exploitdb WORKING POC VERIFIED
by mschenk · htmlremotewindows_x86
https://www.exploit-db.com/exploits/43125

This exploit leverages a memory corruption vulnerability in Internet Explorer (CVE-2017-0059) to achieve remote code execution. It uses heap spraying, ROP chains, and shellcode execution to bypass DEP and execute arbitrary code (e.g., calc.exe).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer (versions prior to the patch for CVE-2017-0059)
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Google Security Research · htmldoswindows
https://www.exploit-db.com/exploits/41454

This is a proof-of-concept exploit for CVE-2017-0037, a memory corruption vulnerability in Microsoft Internet Explorer. The exploit triggers a crash in MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement by manipulating table properties and column spans, leading to a potential use-after-free condition.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 11 (and potentially Edge)
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by redr2e · htmlremotewindows_x86-64
https://www.exploit-db.com/exploits/42354

This exploit leverages a memory corruption vulnerability in Internet Explorer (CVE-2017-0059) to achieve remote code execution via a crafted HTML page. It uses heap spraying and ROP chains to bypass DEP and execute shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer (versions up to 11)
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by chattopadhyaykittu · poc
https://github.com/chattopadhyaykittu/CVE-2017-0037

This repository provides a detailed technical analysis of CVE-2017-0037, a type confusion vulnerability in Microsoft Edge and Internet Explorer. It includes root cause analysis, patch details, and references to the original PoC by Ivan Fratric of Google Project Zero.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Microsoft Edge and Internet Explorer 10/11
No auth needed
Prerequisites: Victim must visit a malicious website
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (10)

Core 10
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
Exploit, Third Party Advisory x_refsource_misc
https://0patch.blogspot.si/2017/03/0patching-another-0-day-internet.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96088
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41454/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43125/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037905
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42354/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037906

Scores

CVSS v3 8.1
EPSS 0.9123
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-28
VulnCheck KEV 2017-08-30
InTheWild.io 2017-08-17
ENISA EUVD EUVD-2017-0404
CWE
CWE-843
Status published
Products (3)
microsoft/edge
microsoft/internet_explorer 11
Microsoft Corporation/Internet Browser Internet Explorer 10 and 11 and Edge
Published Feb 26, 2017
KEV Added Mar 28, 2022
Tracked Since Feb 18, 2026