CVE-2019-1367

CVE-2019-1367 is a high-severity vulnerability in Microsoft Internet Explorer with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-787.

Key facts

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.

CVE-2019-1367: Internet Explorer Scripting Engine Memory Corruption Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2019-1367 is a remote code execution vulnerability residing in the scripting engine of Internet Explorer. The flaw stems from improper memory handling when the engine processes objects, enabling an attacker to achieve arbitrary code execution in the context of the current user.

Background

In September 2019, Microsoft disclosed a critical memory corruption issue affecting the scripting engine shipped with multiple versions of Internet Explorer. Because Internet Explorer remains a core component in several enterprise environments and is deeply integrated with the Windows operating system, vulnerabilities in its rendering and scripting stack carry broad attack-surface implications even on systems where the browser is not the default.

Root Cause

The underlying weakness is classified as CWE-787: Out-of-bounds Write. The scripting engine fails to properly validate boundaries when handling objects in memory. Consequently, an attacker can trigger a write outside the intended buffer boundary, corrupting adjacent memory structures and hijacking control flow. This class of bug is typical in legacy COM-based scripting engines where complex object lifetime management and legacy memory allocators interact.

Impact

Microsoft assigned this vulnerability a CVSS v2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) and a CVSS v3.1 score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). The metrics reflect that while exploitation requires high attack complexity and user interaction—typically convincing a victim to visit a malicious web page or open a crafted HTML e-mail attachment—successful exploitation grants complete control over confidentiality, integrity, and availability within the victim user's security context. In enterprise settings where users possess local administrator privileges, this can rapidly escalate to full system compromise.

Exploitation Walkthrough

Defensive Perspective Only — No Weaponized Code

Attackers typically embed malicious scripts inside specially crafted web pages or HTML documents delivered through phishing e-mails, compromised legitimate sites, or malicious advertisements. When a victim opens the content in a vulnerable Internet Explorer version, the scripting engine processes malformed objects that trigger the out-of-bounds write. Corrupting memory structures such as virtual function tables or heap metadata allows redirection of execution to attacker-controlled shellcode.

Ethics Caveat: The details above are intentionally generic. Security practitioners should use this understanding to improve detection and patching priorities, not to construct or distribute working exploits.

Affected and Patched Versions

The vulnerability affects Internet Explorer 9, 10, and 11 running on a wide range of Windows platforms, including:

  • Windows 7 SP1
  • Windows 8.1 and Windows RT 8.1
  • Windows 10 (versions 1607, 1703, 1709, 1803, 1809, 1903)
  • Windows Server 2008 SP2 and R2 SP1
  • Windows Server 2012 and 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Microsoft released security updates addressing this flaw in their September 2019 Patch Tuesday release. Specific patch levels correspond to the cumulative updates available through Microsoft Update and the Microsoft Security Response Center advisory.

Remediation

  1. Apply Microsoft Security Updates: Install the relevant September 2019 (or later) cumulative security updates for Internet Explorer and the underlying Windows platform.
  2. Disable Internet Explorer Where Possible: Organizations should accelerate migration to Microsoft Edge or other supported browsers and disable Internet Explorer via Windows Features where business compatibility allows.
  3. Application Whitelisting: Enforce application control policies to prevent unauthorized browser processes or scripting hosts from executing.
  4. User Account Control: Ensure users operate with standard rather than administrative privileges to reduce the impact of successful exploitation.
  5. E-mail Filtering: Block HTML attachments and restrict active content in e-mails at the gateway level.

Detection

Defenders can monitor for:

  • Unexpected crashes in iexplore.exe or mshtml.dll followed by anomalous child processes.
  • Suspicious script execution inside Internet Explorer originating from untrusted zones or temporary internet files.
  • Network connections from iexplore.exe to rare or newly registered domains immediately after rendering HTML content.
  • Endpoint detection rules targeting memory-corruption indicators in legacy Trident/MSHTML components.

Assessment

With an EPSS score of 0.52729 (approximately 52.7% probability of exploitation in the wild) and a percentile ranking near 98.8%, this vulnerability sits in the highest risk tier. Its inclusion in the CISA Known Exploited Vulnerabilities catalog and the EU Exploited Vulnerabilities Database (since November 2021) confirms active, real-world exploitation. The high EPSS combined with confirmed KEV status means this flaw should be treated as an existential patch priority for any environment still running affected Internet Explorer versions.

Key Lessons:

  1. Legacy browser stacks accumulate critical debt. Even browsers relegated to "compatibility mode" can expose the entire host to RCE when used to render untrusted content.
  2. EPSS and KEV together sharpen triage. A CVSS 7.5 alone might not trigger emergency patching in every organization, but an EPSS above 0.5 and active KEV status removes any ambiguity about urgency.

References

Frequently asked questions

What is CVE-2019-1367?
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
How severe is CVE-2019-1367?
CVE-2019-1367 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-1367 being actively exploited?
Yes. CVE-2019-1367 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-1367?
CVE-2019-1367 primarily affects Microsoft Internet Explorer. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-1367?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-1367 have an EU (EUVD) identifier?
Yes. CVE-2019-1367 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-9924. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-1367 published?
CVE-2019-1367 was published on 2019-09-23 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Microsoft Internet Explorer

All CVEs affecting Microsoft Internet Explorer →

Other CWE-787 (Out-of-bounds Write) vulnerabilities

Browse all CWE-787 (Out-of-bounds Write) vulnerabilities →