CVE-2019-0752

CVE-2019-0752 is a high-severity vulnerability in Microsoft Internet Explorer with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-15). The underlying weakness is classified as CWE-843.

Key facts

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.

CVE-2019-0752: Internet Explorer Scripting Engine Type Confusion RCE

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2019-0752
CWE CWE-843 — Type Confusion
CVSS v2 7.6 (High) — AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS v3 7.5 (High) — CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS 0.81551 (99.60th percentile)
KEV Listed since 2022-02-15
EU Exploited Yes — EUVD-2019-1511
Published 2019-04-09
Assigner Microsoft Security Response Center

Summary

CVE-2019-0752 is a remote code execution vulnerability in the scripting engine of Internet Explorer. It arises from a type confusion condition when the engine handles objects in memory, enabling an attacker to corrupt memory and execute arbitrary code in the context of the current user. This vulnerability is one of a cluster of related scripting engine memory corruption issues disclosed by Microsoft in April 2019.

Background

Internet Explorer's scripting engine (formerly JScript/JScript9/Chakra) is responsible for executing JavaScript and other active content within web pages. The engine manages complex object lifecycles, type checking, and memory allocations. In 2019, Microsoft patched multiple memory corruption flaws in this component (CVE-2019-0739, CVE-2019-0752, CVE-2019-0753, CVE-2019-0862) as part of its Patch Tuesday cycle. These flaws were particularly significant because they could be triggered simply by rendering a malicious web page, with no additional user action beyond normal browsing.

Root Cause — CWE-843 (Type Confusion)

The vulnerability is classified under CWE-843: Access of Resource Using Incompatible Type ('Type Confusion').

In the scripting engine, objects are referenced through pointers that carry implicit type assumptions. A type confusion occurs when the engine mistakenly treats a memory object as a different type than what was actually allocated. This can happen when:

  • Object type checks are bypassed or improperly ordered
  • A pointer is reused after its underlying object has been freed and reallocated (use-after-free chain leading to type confusion)
  • JIT-compiled code makes optimistic type assumptions without adequate guards

When the engine operates on a confused type, it may read or write memory at attacker-controlled offsets, leading to out-of-bounds access, vtable hijacking, and ultimately arbitrary code execution.

Impact

The CVSS metrics reflect a serious but constrained threat:

  • Network attack vector (AV:N): The vulnerability can be exploited remotely.
  • High attack complexity (AC:H): Successful exploitation requires specific conditions, such as bypassing mitigations like Control Flow Guard (CFG) or ASLR.
  • User interaction required (UI:R): The victim must actively navigate to a malicious page or open a crafted document.
  • High confidentiality, integrity, and availability impact (C:H/I:H/A:H): A successful exploit grants the attacker full control over the browser process, enabling data theft, malware installation, or lateral movement.

Because the exploit runs in the user's security context, any restrictions applied to the user account also apply to the attacker. However, users with administrative rights would enable the attacker to take complete control of the affected system.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: This section describes the exploitation approach from a defender's understanding only. No weaponized exploit code is provided. Organizations should use this knowledge to improve detection and mitigation, not to develop attacks.

An exploitation chain typically proceeds as follows:

  1. Initial delivery: The attacker hosts a malicious web page or embeds a malicious ActiveX control in a document. Delivery vectors include spear-phishing emails, compromised websites, or malvertising.
  2. Triggering the vulnerability: When Internet Explorer parses and executes the crafted JavaScript, the scripting engine creates objects with carefully arranged memory layouts. A sequence of operations (often involving JIT type transitions, prototype manipulation, or array reallocation) forces a type confusion.
  3. Memory corruption: With a confused type, the attacker gains a read/write primitive in the browser process address space. Modern exploit chains typically then bypass ASLR by leaking a pointer and bypass DEP/CFG through a ROP/JOP chain or by corrupting a trusted pointer.
  4. Payload execution: Arbitrary shellcode executes within the renderer process. In modern IE/EdgeHTML with sandboxing, the attacker may need a separate sandbox escape vulnerability to achieve full system compromise.

From a defender's standpoint, the key observation is that exploitation always begins with untrusted web content being rendered by Internet Explorer's scripting engine.

Affected and Patched Versions

The following Microsoft products and configurations were confirmed vulnerable:

Affected Software

  • Internet Explorer 10
  • Internet Explorer 11

Affected Operating Systems

  • Windows 7 SP1
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10 (versions 1507, 1607, 1703, 1709, 1803, 1809)
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Patched versions were released by Microsoft on April 9, 2019 as part of the monthly security update cycle. Specific KB numbers are available in the Microsoft Security Guidance reference below.

Remediation

Immediate Actions

  1. Apply the April 2019 Microsoft security updates (or any subsequent cumulative update that supersedes them) to all affected systems.
  2. Prioritize workstations where Internet Explorer is still used for legacy applications or where users have administrative privileges.
  3. Consider disabling Internet Explorer where it is not required for business operations. Microsoft Edge (Chromium-based) or other modern browsers should be used for general web browsing.

Compensating Controls

  • Disable ActiveX and scripting in the Internet Zone via Group Policy if legacy compatibility permits.
  • Enable Enhanced Protected Mode and 64-bit tab processes where supported.
  • Deploy application whitelisting (e.g., AppLocker, WDAC) to prevent execution of untrusted code even if the browser is compromised.
  • Use Microsoft Defender Application Guard for Edge (on supported editions) to isolate untrusted browsing sessions.

Detection

Defenders should monitor for:

  • Anomalous Internet Explorer processes spawning child processes (e.g., powershell.exe, cmd.exe, wscript.exe), especially with command-line arguments indicative of payload retrieval.
  • Suspicious JavaScript patterns in proxy or web logs, including heavily obfuscated scripts, prototype pollution techniques, or repeated JIT deoptimization events.
  • Memory corruption crash events in the Windows Event Log (Application Error events for iexplore.exe with faulting modules in jscript9.dll, chakra.dll, or related DLLs).
  • CISA KEV catalog alignment: Because this CVE is confirmed exploited in the wild (since 2022-02-15), any unpatched system should be treated as actively at risk.

Assessment

CVE-2019-0752 is a high-severity, actively exploited vulnerability with an exceptionally high EPSS score (0.81551, placing it in the 99.6th percentile of all CVEs). Its inclusion in both the CISA KEV catalog and the EU Vulnerability Database (EUVD-2019-1511) confirms that threat actors have operationalized this flaw.

Key lessons:

  1. Legacy browsers are high-risk attack surfaces: Internet Explorer's continued presence in enterprise environments, often for compatibility reasons, creates a persistent exposure window. Organizations should accelerate migration plans.
  2. EPSS and KEV together drive prioritization: The combination of a high EPSS probability and confirmed in-the-wild exploitation makes this a clear "patch immediately" candidate, even years after its initial disclosure. Organizations using risk-based vulnerability management should weight KEV and EU-exploited flags heavily in their scoring models.

References

Frequently asked questions

What is CVE-2019-0752?
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.
How severe is CVE-2019-0752?
CVE-2019-0752 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-0752 being actively exploited?
Yes. CVE-2019-0752 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-0752?
CVE-2019-0752 primarily affects Microsoft Internet Explorer. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-0752?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-0752 have an EU (EUVD) identifier?
Yes. CVE-2019-0752 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-1511. It is also flagged as exploited in the EUVD (since 2022-02-15).
When was CVE-2019-0752 published?
CVE-2019-0752 was published on 2019-04-09 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Microsoft Internet Explorer

All CVEs affecting Microsoft Internet Explorer →

Other CWE-843 vulnerabilities

Browse all CWE-843 vulnerabilities →