CISA added CVE-2010-0249, the Internet Explorer use-after-free flaw weaponized during Operation Aurora, to the Known Exploited Vulnerabilities catalog on 2026-05-20, with a remediation due date of 2026-06-03.
What Is It
CVE-2010-0249 is a use-after-free vulnerability (CWE-416) in Microsoft Internet Explorer, also known as the "HTML Object Memory Corruption Vulnerability." Remote attackers can execute arbitrary code by accessing a pointer associated with a deleted object, a condition tied to incorrectly initialized memory and improper handling of objects in memory. The flaw carries a CVSS 3.1 base score of 8.8 (HIGH), vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a legacy CVSS 2.0 score of 9.3.
Why It Matters
This is the vulnerability that powered Operation Aurora, exploited in the wild in December 2009 and January 2010 against high-profile targets. CISA's KEV listing confirms active exploitation history and demands action. Exploitation requires only that a user visit a malicious page (user interaction required, no privileges needed), yielding full confidentiality, integrity, and availability impact. CISA notes the affected product is likely end-of-life or end-of-service, meaning patches may not be available, and users should discontinue use where mitigations cannot be applied.
What's Vulnerable
Per NVD, affected configurations include:
- Internet Explorer 6, 6 SP1, 7, and 8
- Running on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7
CPE data also references Internet Explorer 5.0.1 SP4 on Windows 2000 SP4.
Patch Status
Microsoft addressed the issue in security bulletin MS10-002 and Security Advisory 979352 (KB979352). CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal civilian agencies have until 2026-06-03 to comply. Given the affected browser and OS versions are long past end-of-support, discontinuation is the practical path for any remaining deployments.