CVE-2012-1889

HIGH
2012-06-13 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
Patch Released
Oct 22, 2025 - 01:15 nvd
Patch available
PoC Detected
Oct 22, 2025 - 01:15 vuln.today
Public exploit code
Added to CISA KEV
Oct 22, 2025 - 01:15 cisa
CISA KEV
CVE Published
Jun 13, 2012 - 04:46 nvd
HIGH 8.8

Description

Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Analysis

Microsoft XML Core Services 3.0 through 6.0 access uninitialized memory locations, allowing remote attackers to execute code or cause memory corruption through a crafted website, actively exploited before patch availability.

Technical Context

The CWE-787 vulnerability occurs when MSXML fails to properly initialize memory locations before use during XML document parsing. Attackers can trigger the uninitialized memory access through a crafted webpage, allowing them to control the contents of the uninitialized memory to achieve code execution.

Affected Products

['Microsoft XML Core Services 3.0', 'Microsoft XML Core Services 4.0', 'Microsoft XML Core Services 5.0', 'Microsoft XML Core Services 6.0']

Remediation

Apply Microsoft security update MS12-043. The underlying MSXML components are system libraries, so Windows Update is the correct remediation path.

Priority Score

217
Low Medium High Critical
KEV: +50
EPSS: +92.9
CVSS: +44
POC: +20

Share

CVE-2012-1889 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy