Cyber Resilience

CVE-2014-0322

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 February 2014

Published
14 February 2014
Modified
22 April 2026
KEV Added
04 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9297 99.8th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-0322 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

Use-after-free vulnerability CVE-2014-0322 affects Microsoft Internet Explorer 9 and 10. It is triggered by specially crafted JavaScript that manipulates CMarkup objects through the onpropertychange attribute on a script element, as classified under CWE-416.

Remote attackers can exploit the flaw by serving malicious web content to victims, resulting in arbitrary code execution with the privileges of the current user. The vulnerability was observed being exploited in the wild during January and February 2014.

Microsoft published security advisory 2934088 to address the issue, while public exploit code has been posted to Exploit-DB and targeted attacks have been reported against organizations such as French aerospace entities. The CVSS 3.1 base score of 8.8 reflects the high impact of successful exploitation over the network without authentication.

EU & UK References

Vulnerability details

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February…

more

2014.

CWE(s)
KEV Date Added
04 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the Microsoft patch (advisory 2934088) that eliminates the use-after-free flaw in IE 9/10.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes untrusted JavaScript (mobile code) that triggers the CMarkup/onpropertychange exploit path.

prevent

Implements memory-protection safeguards that can block or detect the unauthorized code execution resulting from the use-after-free condition.

References