CVE-2011-1255

CRITICAL
2011-06-16 [email protected]
9.3
CVSS 2.0
Share

CVSS Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C
Attack Vector
Network
Attack Complexity
M
Confidentiality
C
Integrity
C
Availability
C

Lifecycle Timeline

4
Analysis Generated
Mar 26, 2026 - 11:17 vuln.today
PoC Detected
Apr 11, 2025 - 00:51 vuln.today
Public exploit code
Patch Released
Apr 11, 2025 - 00:51 nvd
Patch available
CVE Published
Jun 16, 2011 - 20:55 nvd
CRITICAL 9.3

Description

The Timed Interactive Multimedia Extensions (aka HTML+TIME) implementation in Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka "Time Element Memory Corruption Vulnerability."

Analysis

Internet Explorer 6 through 8 contain a memory corruption vulnerability in the HTML+TIME (Timed Interactive Multimedia Extensions) implementation. Accessing improperly initialized or deleted time element objects allows remote attackers to execute arbitrary code through crafted web pages.

Technical Context

The SMIL-based HTML+TIME implementation fails to properly manage object lifetimes. Accessing a time element that was freed or not initialized triggers a use-after-free condition controllable by the attacker through JavaScript DOM manipulation. The corrupted vtable pointer redirects execution to attacker-supplied shellcode.

Affected Products

['Internet Explorer 6', 'Internet Explorer 7', 'Internet Explorer 8']

Remediation

Migrate to a modern browser. If IE is required for legacy apps, restrict browsing to trusted intranet sites only. Apply MS11-050 security update. Deploy EMET/Exploit Guard mitigations.

Priority Score

56
Low Medium High Critical
KEV: 0
EPSS: +52.4
CVSS: +46
POC: +20

Share

CVE-2011-1255 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy