CVE-2012-4792

HIGH
2012-12-30 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
Patch Released
Oct 22, 2025 - 01:15 nvd
Patch available
PoC Detected
Oct 22, 2025 - 01:15 vuln.today
Public exploit code
Added to CISA KEV
Oct 22, 2025 - 01:15 cisa
CISA KEV
CVE Published
Dec 30, 2012 - 18:55 nvd
HIGH 8.8

Description

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.

Analysis

Internet Explorer 6 through 8 contain a use-after-free vulnerability in CDwnBindInfo object handling that allows remote code execution through crafted websites, exploited as a zero-day in December 2012.

Technical Context

The CWE-416 use-after-free occurs when IE improperly frees a CDwnBindInfo object while it is still referenced by other components. Accessing the freed memory through a dangling pointer allows attackers to control execution flow, typically using heap spraying to place shellcode at predictable addresses.

Affected Products

['Microsoft Internet Explorer 6', 'Microsoft Internet Explorer 7', 'Microsoft Internet Explorer 8']

Remediation

These IE versions are end-of-life. Migrate to modern browsers (Edge, Chrome, Firefox). Apply Microsoft security update MS13-008 for legacy systems that cannot be upgraded.

Priority Score

54
Low Medium High Critical
KEV: +50
EPSS: +91.4
CVSS: +44
POC: +20

Share

CVE-2012-4792 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy