CVE-2010-3190

CVE	CVE-2010-3190
State	PUBLISHED
Assigner	mitre
Source Priority	CVE Program / NVD first with legacy fallback
Published	2010-08-31 20:00:02 UTC
Updated	2026-05-28 19:16:23 UTC
Description	Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; Visual C++ 2005 SP1, 2008 SP1, and 2010; and Exchange Server 2010 Service Pack 3, 2013, and 2013 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability."

Primary CVSS: v3.1 7.8 HIGH from ADP

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS: 0.379210000 probability, percentile 0.972920000 (date 2026-06-02)

Problem Types: CWE-426 | n/a | CWE-426 CWE-426 Untrusted Search Path

Version	Source	Type	Score	Severity	Vector
3.1	ADP	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
2.0	[email protected]	Primary	9.3		`AV:N/AC:M/Au:N/C:C/I:C/A:C`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apple	Itunes	12.1.3	All	All	All
Application	Microsoft	Visual C	2005	sp1	All	All
Application	Microsoft	Visual C	2008	sp1	All	All
Application	Microsoft	Visual C	2010	sp1	All	All
Application	Microsoft	Visual Studio	2005	sp1	All	All
Application	Microsoft	Visual Studio	2008	sp1	All	All
Application	Microsoft	Visual Studio	2010	-	All	All
Application	Microsoft	Visual Studio .net	2003	sp1	All	All

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified

Reference	Source	Link	Tags
About the security content of iTunes 12.3 - Apple Support	af854a3a-2127-422b-91ae-364da2661108	support.apple.com	Vendor Advisory
APPLE-SA-2015-09-16-3 iTunes 12.3	af854a3a-2127-422b-91ae-364da2661108	lists.apple.com	Mailing List, Vendor Advisory
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2010-3190	af854a3a-2127-422b-91ae-364da2661108	portal.msrc.microsoft.com	Patch, Vendor Advisory
US-CERT Technical Cyber Security Alert TA11-102A -- Microsoft Updates for Multiple Vulnerabilities	af854a3a-2127-422b-91ae-364da2661108	www.us-cert.gov	Third Party Advisory, US Government Resource
Microsoft ATL/MFC Trace Tool 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com	Third Party Advisory, VDB Entry
MS Visual Studio Insecure Library Loading Vulnerability - Advisories - Community	af854a3a-2127-422b-91ae-364da2661108	secunia.com	Third Party Advisory
Microsoft Security Bulletin MS11-025 - Important \| Microsoft Docs	af854a3a-2127-422b-91ae-364da2661108	docs.microsoft.com	Patch, Vendor Advisory
DLL Hijacking (KB 2269637) – the unofficial list \| Peter Van Eeckhoutte's Blog	af854a3a-2127-422b-91ae-364da2661108	www.corelan.be	Broken Link
Repository / Oval Repository	af854a3a-2127-422b-91ae-364da2661108	oval.cisecurity.org	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.