US Public Data LabU.S. public data, made readable
EN
日本語 English
High Known exploited (KEV) CVE-2010-0249

Internet Explorer Use-After-Free Vulnerability (CVE-2010-0249 / Operation Aurora) — Remote Code Execution Risk in an End-of-Life Product

Microsoft Internet Explorer Added to KEV May 20, 2026 Federal remediation due 2026-06-03

A use-after-free vulnerability in Microsoft Internet Explorer that can let a remote attacker run arbitrary code when a user opens a crafted page. CVSS 8.8 (High).

Key facts

  • CVE IDCVE-2010-0249
  • CVSS base score8.8 HIGH
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Affected (vendor / product)Microsoft Internet Explorer
  • CWECWE-416
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-06-03 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • A use-after-free flaw that can lead to remote code execution (CVSS 8.8 / High).
  • Exploitation is triggered when a user opens a crafted web page (UI:R).
  • Famous for its use in the 2009–2010 Operation Aurora targeted attacks.
  • Internet Explorer is an end-of-life product, so vendor fixes are not expected.
  • Added to CISA KEV on 2026-05-20, with a remediation deadline of 2026-06-03.

A use-after-free occurs when a program continues to treat a region of memory as valid after it has already been freed (released). When that region falls under an attacker's control, the program's behavior can be hijacked, opening the door to remote code execution. In this case the flaw lives in the Internet Explorer web browser and is triggered when a user opens a crafted page (UI:R means user interaction is required). It carries a CVSS score of 8.8 (High).

This vulnerability is widely known for its role in Operation Aurora, a targeted attack campaign that came to light during 2009 and 2010. Numerous large enterprises, including Google, were reported to have been targeted, making it a landmark example of how a browser flaw can become an entry point into an organization. Even many years after it first surfaced, its presence in CISA's KEV catalog underscores that older vulnerabilities can remain attractive targets.

What stands out is that Internet Explorer has reached end of life (EoL). Because vendors are not expected to issue fixes for retired products, continuing to use them lets risk accumulate over time. CISA directs organizations to apply mitigations per vendor instructions under BOD 22-01, and to discontinue use of the product where such mitigations cannot be applied.

Why it matters

Organizations still running the end-of-life Internet Explorer carry an ongoing remote-code-execution risk with no expected vendor fix. Federal agencies must remediate by the deadline under BOD 22-01, and for private organizations it serves as a concrete reminder that older vulnerabilities remain in play, making it a prompt to inventory end-of-life software and reprioritize migration.

FAQ

What is a use-after-free vulnerability?
It is a flaw where a program keeps treating a memory region as valid after it has been freed. If that region falls under an attacker's control, it can enable remote code execution.
What was Operation Aurora?
It is the name given to a targeted attack campaign that came to light in 2009 and 2010. Many large enterprises, including Google, were reported to have been targeted, and this vulnerability is associated with that campaign.
Why is an end-of-life product still listed in KEV?
Retired products are unlikely to receive fixes, so risk persists as long as they remain in use. CISA calls for vendor-directed mitigations and, where those cannot be applied, discontinuing use of the product.

Related profiles

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#Internet Explorer#Operation Aurora#use-after-free#remote code execution#CISA KEV#end-of-life software#Microsoft

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.