cbcvebase.
CVE-2010-3971
published 2010-12-22

CVE-2010-3971: Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet…

PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.66%
99.6th percentile
Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenamemshtml.dll
filenamemscorie.dll
command@import url("css.css");
other0x105ae020
other0x63f00000
bytes
0c0c0c0900000008000000730073030100000000010000730073030c
  • Detect recursive/self-referential CSS @import rules in HTTP responses — the exploit triggers via a stylesheet that imports itself or imports the same CSS file multiple times.
  • Alert on User-Agent strings containing both 'MSIE 6.0/7.0/8.0' and '.NET CLR 2.0.50727' — the Metasploit module explicitly requires .NET CLR 2.0.50727 in the UA and aborts otherwise.
  • Monitor for HTTP responses serving Content-Type 'text/css' containing multiple '@import url(...)' directives pointing to the same resource, indicative of the recursive import trigger.
  • Detect HTML pages served as UTF-16 (BOM 0xFF 0xFE or 0xFE 0xFF) that also load a .NET DLL (Content-Type: application/x-msdownload) — the exploit serves a .NET DLL to load mscorie.dll for ROP-based DEP/ASLR bypass.
  • Look for heap spray patterns using the byte sequence 0x0c0c0c0c or the specific blob '0c0c0c09000000080000007300730301...' in memory or network captures associated with IE CSS exploitation.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript — post-exploitation process migration activity should be correlated with prior IE CSS anomalies.
  • ·The ROP chain and base address (0x63f00000) are specific to mscorie.dll version v2.0.50727.3053 — exploitation fails if a different .NET 2.0 patch level is installed.
  • ·The Metasploit module explicitly does not opt-in to ASLR and relies on mscorie.dll being a non-ASLR module; systems without .NET 2.0 installed are not exploitable by this module.
  • ·The IE6 target uses the same crash/debug return address (0xc0c0c0c0) as the Debug Target, meaning reliable code execution on IE6 was not implemented in this module version.
  • ·The exploit has no vuln_test capability — the module cannot pre-check whether the target is vulnerable before attempting exploitation.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.