cbcvebase.
CVE-2010-0806
published 2010-03-10

CVE-2010-0806: Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute…

PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-03
Exploited in the wild
EPSS
82.17%
99.6th percentile
Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010, aka "Uninitialized Memory Corruption Vulnerability."

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

urlhxxp://www.dxcdfghg.com/2.html
urlhxxp://www.dxcdfghg.com/2.js
filenameiepeers.dll
  • Target IE versions are 6 and 7 only; IE 8 and IE 5 are not affected. Inspect User-Agent strings for MSIE 6.0 or MSIE 7.0 in requests to detect exploitation attempts.
  • Exploit delivery uses heap spray with NOP sled targeting address 0x0C0C0C0C; monitor for large JavaScript array allocations filling memory with repeated 0x0C0C0C0C patterns.
  • Exploit HTML pages use DHTML behaviors (e.g., userData behavior via 'behavior: url(#default#userData)') combined with setAttribute to trigger the use-after-free; detect HTML responses containing this behavior pattern delivered to IE 6/7 clients.
  • Attackers combine CVE-2010-0806 and CVE-2010-3962 exploits into a single HTML/JS file to increase success rate against IE 6 and 7; look for pages serving both exploit patterns together.
  • Exploit payload uses JavaScript variable name randomization and obfuscation; detect unescape() heap spray patterns in JavaScript delivered to IE clients as a behavioral indicator.
  • Hosting multiple malicious domains on a single IP is a noted attacker TTP; pivot on the IP of dxcdfghg.com to identify co-hosted malicious infrastructure.
  • ·The Metasploit module uses randomized JavaScript variable names on every request, making static string-based signatures unreliable; behavioral or heuristic detection is required.
  • ·The exploit targets only Windows platforms; the Metasploit module's platform is set to 'win', so non-Windows IE clients are not at risk.
  • ·Payload bad characters include null bytes and common whitespace/quote characters, meaning encoded shellcode will never contain these bytes; signature rules must account for encoded (unescape'd) shellcode format.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.