CVE-2013-6040
Description
MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls before 4.0 allow remote code execution via a crafted HTML document causing a buffer overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls before 4.0 allow remote code execution via a crafted HTML document causing a buffer overflow.
Vulnerability
The MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls, versions before 4.0, contain a buffer overflow vulnerability in the Data parameter. When a user views a crafted HTML document, the ActiveX control processes an overly long string in the Data attribute, leading to memory corruption. Affected CLSIDs include {F359732D-D020-40ED-83FF-F381EFE36B54} (Aztec), {DE7DA0B5-7D7B-4CEA-8739-65CF600D511E} (DataMatrix), and {2355C601-37D1-42B4-BEB1-03C773298DC8} (MaxiCode) [4]. Version 4.0.0.1 is mentioned in the references, but the vulnerability exists prior to version 4.0 [1][2].
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted HTML document on a web page or sending it as an HTML email attachment. The user must open the document using Internet Explorer with ActiveX enabled. By providing a Data parameter value longer than 10000 characters (DataMatrix) or 9000 characters (Aztec), a buffer overflow occurs. The PoC code demonstrates a crash with control of the instruction pointer (e.g., EAX pointing to the attacker's buffer) [1][2]. The CERT/CC notes that exploitation requires convincing a user to view the malicious document [4].
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user. This can lead to full system compromise, including data theft, malware installation, or unauthorized access. Additionally, the vulnerability can cause the web browser to crash [4]. The CVSS v3 base score is 8.1 (High), and the CERT/CC base score is 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) [4].
Mitigation
MW6 Technologies released version 4.0 of the affected ActiveX controls, which resolves the vulnerability [1][2]. Users should update to the latest version. As a workaround, the CERT/CC recommends disabling the vulnerable ActiveX controls by setting the kill bit in Internet Explorer for the following CLSIDs: {2355C601-37D1-42B4-BEB1-03C773298DC8}, {F359732D-D020-40ED-83FF-F381EFE36B54}, and {DE7DA0B5-7D7B-4CEA-8739-65CF600D511E}. Additionally, disabling ActiveX controls in the Internet Zone can prevent exploitation [4]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <4.0
- Range: <4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- www.exploit-db.com/exploits/31176nvdExploit
- www.exploit-db.com/exploits/31177nvdExploit
- www.kb.cert.org/vuls/id/219470nvdUS Government Resource
- www.mw6tech.comnvd
News mentions
0No linked articles in our index yet.