The 2011 Pwnie Nominee For Best Client-Side Bug

Java mismatched codebase arbitrary code execution (CVE-2010-4452)

Credit: Frédéric Hoguin

This vulnerability is particularly interesting in that it only uses features of the Java to gain arbitrary code execution capability. It doesn’t use any common exploitation technique like buffer overflows, or memory corruption. As it only uses known features of the JRE, it is 100% reliable.