CISA added a 2010-era Internet Explorer use-after-free flaw in the iepeers.dll Peer Objects component to the Known Exploited Vulnerabilities catalog on 2026-05-20, citing confirmed in-the-wild exploitation and assigning a remediation deadline of 2026-06-03.
What Is It
CVE-2010-0806 is a use-after-free vulnerability (CWE-399; secondary CWE-416) in the Peer Objects component, iepeers.dll, of Microsoft Internet Explorer. According to NVD, the flaw allows remote attackers to execute arbitrary code "via vectors involving access to an invalid pointer after the deletion of an object." It is also tracked as the "Uninitialized Memory Corruption Vulnerability." NVD records it as exploited in the wild as far back as March 2010.
The CVSS v3.1 base score is 8.8 (HIGH) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, network-reachable, low complexity, no privileges required, but requiring user interaction (typically visiting a crafted page). The CVSS v2 score is 9.3.
Why It Matters
CISA's KEV entry confirms active exploitation and explicitly flags the impacted product as potentially end-of-life or end-of-service, advising users to "discontinue product utilization." Successful exploitation yields arbitrary code execution in the user's context with complete impact to confidentiality, integrity, and availability. Ransomware campaign use is listed as "Unknown."
What's Vulnerable
Per NVD, the vulnerable component is iepeers.dll in:
- Microsoft Internet Explorer 6, 6 SP1, and 7
Affected host platforms in the configurations include Windows 2000 SP4, Windows XP SP2/SP3 (including x64), Windows Server 2003 SP2 (including Itanium), Windows Vista (RTM, SP1, SP2, x64), and Windows Server 2008 (RTM, SP2, across x32/x64/Itanium).
Patch Status
Microsoft addressed this issue in security bulletin MS10-018 and Security Advisory 981374. CISA's required action is: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." Federal civilian agencies must remediate by 2026-06-03. Because the affected IE versions are long out of support, discontinuation is the realistic path for most environments still running them.