CVE-2019-0752
CVE-2019-0752 is a high-severity vulnerability in Microsoft Internet Explorer with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-15). The underlying weakness is classified as CWE-843.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 7.6
- EPSS exploit prediction: 82% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-02-15)
- EU (EUVD) id: EUVD-2019-1511
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-02-15)
- Weakness: CWE-843
- Affected product: Microsoft Internet Explorer
- Published:
- Last modified:
Description
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.
CVE-2019-0752: Internet Explorer Scripting Engine Type Confusion RCE
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2019-0752 |
| CWE | CWE-843 — Type Confusion |
| CVSS v2 | 7.6 (High) — AV:N/AC:H/Au:N/C:C/I:C/A:C |
| CVSS v3 | 7.5 (High) — CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| EPSS | 0.81551 (99.60th percentile) |
| KEV | Listed since 2022-02-15 |
| EU Exploited | Yes — EUVD-2019-1511 |
| Published | 2019-04-09 |
| Assigner | Microsoft Security Response Center |
Summary
CVE-2019-0752 is a remote code execution vulnerability in the scripting engine of Internet Explorer. It arises from a type confusion condition when the engine handles objects in memory, enabling an attacker to corrupt memory and execute arbitrary code in the context of the current user. This vulnerability is one of a cluster of related scripting engine memory corruption issues disclosed by Microsoft in April 2019.
Background
Internet Explorer's scripting engine (formerly JScript/JScript9/Chakra) is responsible for executing JavaScript and other active content within web pages. The engine manages complex object lifecycles, type checking, and memory allocations. In 2019, Microsoft patched multiple memory corruption flaws in this component (CVE-2019-0739, CVE-2019-0752, CVE-2019-0753, CVE-2019-0862) as part of its Patch Tuesday cycle. These flaws were particularly significant because they could be triggered simply by rendering a malicious web page, with no additional user action beyond normal browsing.
Root Cause — CWE-843 (Type Confusion)
The vulnerability is classified under CWE-843: Access of Resource Using Incompatible Type ('Type Confusion').
In the scripting engine, objects are referenced through pointers that carry implicit type assumptions. A type confusion occurs when the engine mistakenly treats a memory object as a different type than what was actually allocated. This can happen when:
- Object type checks are bypassed or improperly ordered
- A pointer is reused after its underlying object has been freed and reallocated (use-after-free chain leading to type confusion)
- JIT-compiled code makes optimistic type assumptions without adequate guards
When the engine operates on a confused type, it may read or write memory at attacker-controlled offsets, leading to out-of-bounds access, vtable hijacking, and ultimately arbitrary code execution.
Impact
The CVSS metrics reflect a serious but constrained threat:
- Network attack vector (AV:N): The vulnerability can be exploited remotely.
- High attack complexity (AC:H): Successful exploitation requires specific conditions, such as bypassing mitigations like Control Flow Guard (CFG) or ASLR.
- User interaction required (UI:R): The victim must actively navigate to a malicious page or open a crafted document.
- High confidentiality, integrity, and availability impact (C:H/I:H/A:H): A successful exploit grants the attacker full control over the browser process, enabling data theft, malware installation, or lateral movement.
Because the exploit runs in the user's security context, any restrictions applied to the user account also apply to the attacker. However, users with administrative rights would enable the attacker to take complete control of the affected system.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: This section describes the exploitation approach from a defender's understanding only. No weaponized exploit code is provided. Organizations should use this knowledge to improve detection and mitigation, not to develop attacks.
An exploitation chain typically proceeds as follows:
- Initial delivery: The attacker hosts a malicious web page or embeds a malicious ActiveX control in a document. Delivery vectors include spear-phishing emails, compromised websites, or malvertising.
- Triggering the vulnerability: When Internet Explorer parses and executes the crafted JavaScript, the scripting engine creates objects with carefully arranged memory layouts. A sequence of operations (often involving JIT type transitions, prototype manipulation, or array reallocation) forces a type confusion.
- Memory corruption: With a confused type, the attacker gains a read/write primitive in the browser process address space. Modern exploit chains typically then bypass ASLR by leaking a pointer and bypass DEP/CFG through a ROP/JOP chain or by corrupting a trusted pointer.
- Payload execution: Arbitrary shellcode executes within the renderer process. In modern IE/EdgeHTML with sandboxing, the attacker may need a separate sandbox escape vulnerability to achieve full system compromise.
From a defender's standpoint, the key observation is that exploitation always begins with untrusted web content being rendered by Internet Explorer's scripting engine.
Affected and Patched Versions
The following Microsoft products and configurations were confirmed vulnerable:
Affected Software
- Internet Explorer 10
- Internet Explorer 11
Affected Operating Systems
- Windows 7 SP1
- Windows 8.1
- Windows RT 8.1
- Windows 10 (versions 1507, 1607, 1703, 1709, 1803, 1809)
- Windows Server 2008 R2 SP1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Patched versions were released by Microsoft on April 9, 2019 as part of the monthly security update cycle. Specific KB numbers are available in the Microsoft Security Guidance reference below.
Remediation
Immediate Actions
- Apply the April 2019 Microsoft security updates (or any subsequent cumulative update that supersedes them) to all affected systems.
- Prioritize workstations where Internet Explorer is still used for legacy applications or where users have administrative privileges.
- Consider disabling Internet Explorer where it is not required for business operations. Microsoft Edge (Chromium-based) or other modern browsers should be used for general web browsing.
Compensating Controls
- Disable ActiveX and scripting in the Internet Zone via Group Policy if legacy compatibility permits.
- Enable Enhanced Protected Mode and 64-bit tab processes where supported.
- Deploy application whitelisting (e.g., AppLocker, WDAC) to prevent execution of untrusted code even if the browser is compromised.
- Use Microsoft Defender Application Guard for Edge (on supported editions) to isolate untrusted browsing sessions.
Detection
Defenders should monitor for:
- Anomalous Internet Explorer processes spawning child processes (e.g.,
powershell.exe,cmd.exe,wscript.exe), especially with command-line arguments indicative of payload retrieval. - Suspicious JavaScript patterns in proxy or web logs, including heavily obfuscated scripts, prototype pollution techniques, or repeated JIT deoptimization events.
- Memory corruption crash events in the Windows Event Log (Application Error events for
iexplore.exewith faulting modules injscript9.dll,chakra.dll, or related DLLs). - CISA KEV catalog alignment: Because this CVE is confirmed exploited in the wild (since 2022-02-15), any unpatched system should be treated as actively at risk.
Assessment
CVE-2019-0752 is a high-severity, actively exploited vulnerability with an exceptionally high EPSS score (0.81551, placing it in the 99.6th percentile of all CVEs). Its inclusion in both the CISA KEV catalog and the EU Vulnerability Database (EUVD-2019-1511) confirms that threat actors have operationalized this flaw.
Key lessons:
- Legacy browsers are high-risk attack surfaces: Internet Explorer's continued presence in enterprise environments, often for compatibility reasons, creates a persistent exposure window. Organizations should accelerate migration plans.
- EPSS and KEV together drive prioritization: The combination of a high EPSS probability and confirmed in-the-wild exploitation makes this a clear "patch immediately" candidate, even years after its initial disclosure. Organizations using risk-based vulnerability management should weight KEV and EU-exploited flags heavily in their scoring models.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0752
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0752
- https://www.zerodayinitiative.com/advisories/ZDI-19-359/
- http://packetstormsecurity.com/files/153078/Microsoft-Internet-Explorer-Windows-10-1809-17763.316-Memory-Corruption.html
Frequently asked questions
- What is CVE-2019-0752?
- A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.
- How severe is CVE-2019-0752?
- CVE-2019-0752 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-0752 being actively exploited?
- Yes. CVE-2019-0752 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-0752?
- CVE-2019-0752 primarily affects Microsoft Internet Explorer. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-0752?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-0752 have an EU (EUVD) identifier?
- Yes. CVE-2019-0752 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-1511. It is also flagged as exploited in the EUVD (since 2022-02-15).
- When was CVE-2019-0752 published?
- CVE-2019-0752 was published on 2019-04-09 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/153078/Microsoft-Internet-Explorer-Windows-10-1809-17763.316-Memory-Corruption.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0752
- https://www.zerodayinitiative.com/advisories/ZDI-19-359/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0752
Affected products (2)
- cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Internet Explorer
- CVE-2014-1764 — Critical (CVSS 10.0): Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code and bypass a sandbox…
- CVE-2014-1763 — Critical (CVSS 10.0): Use-after-free vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary…
- CVE-2010-1118 — Critical (CVSS 10.0): Unspecified vulnerability in Internet Explorer 8 on Microsoft Windows 7 allows remote attackers to execute arbitrary…
- CVE-2009-1918 — Critical (CVSS 10.0): Microsoft Internet Explorer 5.01 SP4 and 6 SP1; Internet Explorer 6 for Windows XP SP2 and SP3 and Server 2003 SP2; and…
- CVE-2009-1043 — Critical (CVSS 10.0): Unspecified vulnerability in Microsoft Internet Explorer 8 on Windows 7 allows remote attackers to execute arbitrary…
- CVE-2007-3341 — Critical (CVSS 10.0): Unspecified vulnerability in the FTP implementation in Microsoft Internet Explorer allows remote attackers to "see a…
All CVEs affecting Microsoft Internet Explorer →
Other CWE-843 vulnerabilities
- CVE-2021-33970 — Critical (CVSS 10.0): Buffer Overflow vulnerability in Qihoo 360 Chrome v13.0.2170.0 allows attacker to escalate priveleges.
- CVE-2010-2299 — Critical (CVSS 10.0): The Clipboard::DispatchObject function in app/clipboard/clipboard.cc in Google Chrome before 5.0.375.70 does not…
- CVE-2023-22579 — Critical (CVSS 9.9): Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.
- CVE-2026-13776 — Critical (CVSS 9.8): Type Confusion in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
- CVE-2026-43038 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in…
- CVE-2025-70023 — Critical (CVSS 9.8): An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.