CISA has added CVE-2010-0806 to its Known Exploited Vulnerabilities catalogue. The flaw affects Microsoft Internet Explorer and is identified as the Microsoft Internet Explorer Use-After-Free Vulnerability. It allows remote attackers to execute arbitrary code by accessing an invalid pointer after an object has been deleted.
The vulnerability is a use‑after‑free flaw in Internet Explorer’s handling of DOM objects. When the browser accesses memory that has already been freed, an attacker can inject and execute arbitrary code with the privileges of the current user. Exploitation typically requires a user to visit a specially crafted web page or open a malicious document that triggers the faulty memory reference. The vulnerability carries a CVSS base score of 8.8 (HIGH).
Although the affected product may be end‑of‑life or end‑of‑service, Microsoft released a patch in Security Advisory 981374, which is still available for download.
Inclusion in the KEV catalogue indicates that active exploitation of CVE-2010-0806 has been observed in the wild. No public attribution to ransomware campaigns is known at this time. Federal Civilian Executive Branch (FCEB) agencies must apply the required mitigations by the CISA remediation due date of 3 June 2026.
CISA directs agencies to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Although the directive binds FCEB organisations, all entities should audit their systems for Internet Explorer, install the available patch, or cease using the software when patching cannot be performed.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2010-0806 and the CISA KEV catalogue.