Cyber Resilience

CVE-2013-2551

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 11 March 2013

Published
11 March 2013
Modified
21 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9241 99.7th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-2551 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Xp. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a use-after-free flaw, tracked as CWE-416, that affects Microsoft Internet Explorer versions 6 through 10. It occurs when the browser accesses an object after it has been deleted, enabling memory corruption that can be leveraged for code execution. The issue was assigned CVE-2013-2551 and is distinct from the related use-after-free problems reported as CVE-2013-1308 and CVE-2013-1309.

Remote attackers can exploit the flaw by serving a specially crafted web page that triggers the use-after-free condition. Successful exploitation grants arbitrary code execution in the context of the current user, with a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability. The vulnerability was publicly demonstrated by VUPEN researchers during the Pwn2Own contest at CanSecWest 2013.

Microsoft addressed the issue in security bulletin MS13-037, and US-CERT alert TA13-134A recommends applying the vendor updates. Additional details on the demonstration appear in contemporaneous reports from HP Security Research and Zero Day Initiative.

The flaw was shown to be exploitable in a contest setting but no further real-world exploitation details are provided in the references.

EU & UK References

Vulnerability details

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka…

more

"Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 6, 7, 8, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches such as MS13-037 to eliminate the use-after-free flaw before exploitation.

prevent

Implements memory-protection safeguards that block unauthorized code execution arising from use-after-free memory corruption in the browser.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and controls on mobile code (scripts/active content) delivered by crafted web pages that trigger the vulnerability.

References