⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-04-18.
CVE-2013-2551 — Use After Free in Microsoft Internet Explorer
Severity
9.3CRITICALNVD
NVD8.8VulnCheck8.8CISA8.8
EPSS
91.3%
top 0.34%
CISA KEV
KEVRansomware
Added 2022-03-28
Due 2022-04-18
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMar 11
KEV addedMar 28
KEV dueApr 18
Latest updateMay 14
CISA Required Action: Apply updates per vendor instructions.
Description
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages1 packages
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-cxgx-c7c4-5mq4: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that↗2022-05-14
GHSA▶
GHSA-m5j6-8c2h-w4h7: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that↗2022-05-14
GHSA▶
GHSA-cjgj-38vj-vcrr: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that↗2022-05-14