ON 20 May 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2010‑0249 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Microsoft Internet Explorer and is identified as the Microsoft Internet Explorer Use‑After‑Free Vulnerability. In brief, Internet Explorer contains an use‑after‑free condition that lets a remote attacker execute arbitrary code by dereferencing a pointer to a freed object.
The vulnerability is a classic use‑after‑free memory corruption issue. Exploitation requires the victim to visit a specially crafted web page or open a malicious document that triggers the flawed code path, leading to remote code execution with the privileges of the current user. The National Vulnerability Database assigns a CVSS v3.1 base score of 8.8, rated HIGH. A security update addressing the issue is available via Microsoft Knowledge Base article KB979352.
CISA’s inclusion of the CVE in the KEV catalogue confirms that the vulnerability is being actively exploited in the wild. No public reports link this flaw to ransomware campaigns at this time. Federal agencies must complete remediation by 3 June 2026, the date CISA has set for the required action.
CISA directs Federal Civilian Executive Branch (FCEB) agencies to apply the mitigations outlined by the vendor, follow the guidance of Binding Operational Directive 22‑01 for cloud services, or discontinue use of Internet Explorer if mitigations cannot be applied. While the directive is mandatory for FCEB organisations, all other entities should review their inventories for Internet Explorer installations and consider applying the patch or retiring the software.
For full technical details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2010-0249 and the CISA KEV catalogue.