VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 11, 2015· Updated May 6, 2026

CVE-2015-6086

CVE-2015-6086

Description

Microsoft Internet Explorer 9 through 11 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Microsoft Internet Explorer 9 through 11 have an out-of-bounds read vulnerability in CDOMStringDataList::InitFromString that leaks process memory, aiding ASLR bypass.

Vulnerability

CVE-2015-6086 is an out-of-bounds read vulnerability in Microsoft Internet Explorer 9, 10, and 11. It exists in the CDOMStringDataList::InitFromString function due to improper handling of newline and whitespace characters. An attacker can trigger an out-of-bounds read by manipulating a document's elements, leading to memory disclosure [1][2][3].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by hosting a specially crafted webpage and convincing a user to view it via Internet Explorer. No special privileges are required. The attacker crafts the page to cause the browser to read beyond the bounds of an allocated chunk, leaking memory contents such as the base address of MSHTML.DLL [2][3].

Impact

Successful exploitation results in information disclosure from process memory, specifically leaking the base address of MSHTML.DLL. This allows an attacker to bypass Address Space Layout Randomization (ASLR), which can then be used as part of a broader exploit chain [2][3]. The vulnerability does not directly allow code execution or privilege escalation.

Mitigation

Microsoft released security bulletin MS15-112 on November 10, 2015, which includes an update (KB 3104517) that fixes this vulnerability by modifying how Internet Explorer handles objects in memory [1]. Users should apply the update immediately. No workarounds are documented.

References
  1. Microsoft Security Bulletin MS15-112 - Critical
  2. OffSec’s Exploit Database Archive
  3. ZDI-15-547

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Microsoft/Internet Explorer4 versions
    cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*
    • (no CPE)range: 9-11

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.