What is the CVSS score of CVE-2011-1255?

CVE-2011-1255 has a CVSS 2.0 base score of 9.3 (Critical). CVSS vector: AV:N/AC:M/Au:N/C:C/I:C/A:C. EPSS exploitation probability: 52.4%.

Which versions of Internet Explorer are affected by CVE-2011-1255?

CVE-2011-1255 is a critical remote code execution vulnerability affecting Internet Explorer 6, 7, and 8 through memory corruption in the HTML+TIME engine, requiring only user interaction to…. A patch is available.

Is there a public PoC exploit available for CVE-2011-1255?

Yes, a public proof-of-concept exploit is available for CVE-2011-1255. Prioritise patching immediately. EPSS: 52.4%.

How to fix or mitigate CVE-2011-1255?

Within 24 hours: Inventory all systems running Internet Explorer 6, 7, or 8 and restrict their internet-facing use until patching is complete. Within 7 days: Apply Microsoft security patch MS11-050 to all affected Internet Explorer installations; alternatively, upgrade to Internet Explorer 9 or later (confirmed unaffected per vendor). Within 30 days: Enforce browser version policy requiring IE9+ or modern alternatives (Chrome, Firefox, Edge); decommission any systems that cannot be updated and block legacy IE from accessing external websites via network controls.

Internet Explorer CVE-2011-1255

CRITICAL

Use of Uninitialized Resource (CWE-908)

2011-06-16 secure@microsoft.com

Buffer Overflow Microsoft RCE

9.3

CVSS 2.0 · NVD

Severity by source

NVD PRIMARY

9.3 CRITICAL

AV:N/AC:M/Au:N/C:C/I:C/A:C

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:C/I:C/A:C

Attack Vector

Network

Attack Complexity

Confidentiality

Integrity

Availability

Lifecycle Timeline

Analysis Updated

Apr 29, 2026 - 01:43 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 29, 2026 - 01:39 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:17 vuln.today

PoC Detected

Apr 11, 2025 - 00:51 vuln.today

Public exploit code

Patch released

Apr 11, 2025 - 00:51 nvd

Patch available

CVE Published

Jun 16, 2011 - 20:55 nvd

CRITICAL 9.3

DescriptionCVE.org

The Timed Interactive Multimedia Extensions (aka HTML+TIME) implementation in Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka "Time Element Memory Corruption Vulnerability."

AnalysisAI

Remote code execution in Microsoft Internet Explorer 6, 7, and 8 allows attackers to execute arbitrary code through use-after-free or uninitialized memory corruption in the HTML+TIME (Timed Interactive Multimedia Extensions) engine. With an EPSS score of 52.37% (98th percentile) and publicly available exploit code, this represents a high-probability exploitation risk despite requiring user interaction to visit a malicious webpage. Microsoft released patch MS11-050 in June 2011, and the vendor specifically noted that IE9 was not affected by this implementation flaw.

Technical ContextAI

The vulnerability resides in Internet Explorer's implementation of HTML+TIME (Timed Interactive Multimedia Extensions), a legacy feature that allowed synchronization of multimedia elements and animations in web pages through HTML and CSS extensions. The issue is classified as CWE-908 (Use of Uninitialized Resource), involving improper memory management where the TIME element handler either accesses memory objects before proper initialization or after deletion (use-after-free condition). When IE 6-8 processes specially crafted HTML+TIME elements, the engine fails to validate object states before use, allowing attackers to control memory contents and redirect execution flow. This affects the MSHTML rendering engine components specifically responsible for TIME element parsing and lifecycle management across Internet Explorer versions 6.0, 7.0, and 8.0 as identified by CPE strings.

RemediationAI

Apply Microsoft Security Bulletin MS11-050 released in June 2011, which provides cumulative security updates for all affected Internet Explorer versions (https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-050). The primary recommended action is upgrading to Internet Explorer 9 or later, which is not affected by this HTML+TIME implementation flaw as noted in Microsoft's technical blog (http://blogs.technet.com/b/srd/archive/2011/06/14/ms11-050-ie9-is-better.aspx). For systems that cannot immediately patch, disable HTML+TIME functionality by modifying registry settings to unregister the TIME2.DLL component, though this will break legitimate web content using SMIL animations and may impact business applications. Implement Enhanced Protected Mode and deploy browser isolation technologies such as Application Guard to contain exploitation attempts. Network-level defenses include blocking access to known malicious domains hosting exploit code and enabling URL filtering to prevent users from accessing untrusted websites. For enterprises still requiring IE 6-8 for legacy application compatibility, mandate running in virtualized or sandboxed environments with restricted network access, though this adds operational complexity and performance overhead.

CVE-2011-1255 vulnerability details – vuln.today

Back