cbcvebase.
CVE-2010-1807
published 2010-09-10

CVE-2010-1807: WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; Android before 2.2; and webkitgtk before 1.2.6; does not properly validate floating-point data…

PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.32%
99.0th percentile
WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; Android before 2.2; and webkitgtk before 1.2.6; does not properly validate floating-point data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document, related to non-standard NaN representation.

Affected

23 ranges
VendorProductVersion rangeFixed in
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
googleandroid<= 2.1
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
webkitgtkwebkitgtk<= 1.2.5
webkitgtkwebkitgtk
webkitgtkwebkitgtk
webkitgtkwebkitgtk
webkitgtkwebkitgtk
webkitgtkwebkitgtk

Detection & IOCsextracted from sources · hover to see the quote

command-parseFloat("NAN(ffffe00572c60)")
bytes
\u33bc\u0057
bytes
\ua8c0\u0100
  • Trigger is a crafted NaN string passed to parseFloat — look for 'NAN(ffffe00572c60)' or similar non-standard NaN representations in HTML/JS content processed by WebKit.
  • Exploit uses heap spray via large unescape() string buffers followed by DOM innerHTML assignment to trigger the use-after-free; monitor for large repeated unicode escape sequences in JavaScript combined with innerHTML writes.
  • The vulnerability is triggered via a crafted HTML document containing non-standard NaN floating-point representation; WebKit's float parser mishandles it leading to use-after-free.
  • Exploit appends a child span element to a known DOM element and sets innerHTML to the malicious float string — look for dynamic DOM manipulation patterns pairing appendChild with innerHTML assignment of float/NaN values.
  • ·The exploit in exploit-db/15548 hardcodes a connect-back IP and port (192.168.0.1 / port 12345) via unescape-encoded shellcode; real-world attacker payloads will substitute their own C2 IP and port in the shellcode bytes.
  • ·The original exploit (exploit-db/15423) is hardcoded to return a shell to 10.0.2.2 port 2222, which is the Android emulator host address; production attacks will use a different IP/port.
  • ·The vulnerability affects Android before 2.2; the exploit author notes 'some said it works on some devices with 2.2', so patched version alone may not be a reliable exclusion criterion.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.