Cyber Resilience

CVE-2016-3351

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 14 September 2016

Published
14 September 2016
Modified
22 April 2026
KEV Added
24 May 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.4541 97.7th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-3351 is a medium-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

Microsoft Internet Explorer 9 through 11 and Microsoft Edge are affected by an information disclosure vulnerability tracked as CVE-2016-3351. The flaw permits remote attackers to obtain sensitive information from a victim by serving a specially crafted web site, as described in the NVD entry with a CVSS 3.1 base score of 6.5 reflecting network attack vector, low complexity, no required privileges, and required user interaction.

An unauthenticated remote attacker can exploit the issue by convincing a user to visit a malicious web page under the attacker's control. Successful exploitation results in disclosure of sensitive browser or system information while leaving integrity and availability unaffected.

Microsoft addressed the vulnerability through security bulletins MS16-104 and MS16-105, which are referenced in the available advisories along with related tracking entries on SecurityFocus and SecurityTracker. No further details on exploitation in the wild or additional mitigations are provided in the source data.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability."

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9
microsoft
edge
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patches (MS16-104/105) that eliminate the browser information disclosure flaw.

prevent

Enforces malicious-code protections such as URL filtering and script blocking that stop a user from reaching the crafted site used to trigger CVE-2016-3351.

detect

Explicitly requires monitoring for information disclosure events that would result from successful exploitation of the browser flaw.

References