Cyber Resilience

CVE-2017-0037

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 February 2017

Published
26 February 2017
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8910 99.6th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-0037 is a high-severity Type Confusion (CWE-843) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability CVE-2017-0037 is a type confusion flaw in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function within mshtml.dll. It affects Microsoft Internet Explorer versions 10 and 11 as well as Microsoft Edge, and is catalogued under CWE-843.

Remote attackers can exploit the issue to execute arbitrary code. The attack requires a crafted CSS token sequence together with JavaScript code that manipulates a TH element; the CVSS 3.1 score of 8.1 reflects a network vector, high complexity, and no required privileges or user interaction.

Public references include Microsoft security bulletins, SecurityFocus and SecurityTracker entries, a 0patch analysis, and Google Project Zero issue 1011.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and…

more

crafted JavaScript code that operates on a TH element.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
edge
all versions
microsoft
internet explorer
11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the type-confusion flaw in mshtml.dll.

SC-18 Mobile Code partial match
prevent

Allows definition and enforcement of restrictions on mobile code (JavaScript/CSS) that is the required attack vector for this CVE.

prevent

Implements memory-protection safeguards that can block the unauthorized code execution resulting from the type-confusion condition.

References