What is the CVSS score of CVE-2014-0322?

CVE-2014-0322 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 93.2%.

Which versions of Microsoft are affected by CVE-2014-0322?

Organizations using Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 face significant risk from CVE-2014-0322, a use-after-free vulnerability rated CVSS 8.8.. A patch is available.

Is there a public PoC exploit available for CVE-2014-0322?

Yes, a public proof-of-concept exploit is available for CVE-2014-0322. Prioritise patching immediately. EPSS: 93.2%.

How to fix or mitigate CVE-2014-0322?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

Microsoft CVE-2014-0322

HIGH

Use After Free (CWE-416)

2014-02-14 secure@microsoft.com

RCE Use After Free Memory Corruption Microsoft

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 01:15 cisa

CISA KEV

PoC Detected

Oct 22, 2025 - 01:15 vuln.today

Public exploit code

Patch released

Oct 22, 2025 - 01:15 nvd

Patch available

CVE Published

Feb 14, 2014 - 16:55 nvd

HIGH 8.8

DescriptionNVD

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.

AnalysisAI

Internet Explorer 9 and 10 contain a use-after-free vulnerability in CMarkup object handling exploitable via crafted JavaScript, used in 'Operation SnowMan' watering hole attacks targeting US military and defense in early 2014.

Technical ContextAI

The CWE-416 use-after-free is triggered through a sequence of JavaScript operations involving CMarkup objects and onpropertychange event handlers. By creating and destroying DOM elements in a specific pattern, the attacker causes a CMarkup object to be freed while still referenced, then uses heap spray to control the freed memory.

RemediationAI

Migrate to modern browsers. Apply Microsoft security update MS14-012. This was a key driver in the industry's push to deprecate legacy IE versions.

More from same product – last 7 days

CVE-2026-10044 HIGH This Week POC

8.2 May 28

{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows pat

CVE-2026-40412 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil

CVE-2026-41104 CRITICAL Monitor

10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal

CVE-2026-23652 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-

CVE-2026-47280 CRITICAL Monitor

10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti

CVE-2014-0322 vulnerability details – vuln.today

Back

Microsoft CVE-2014-0322

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code