CVE-2019-1367
CVE-2019-1367 is a high-severity vulnerability in Microsoft Internet Explorer with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-787.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 7.6
- EPSS exploit prediction: 53% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2019-9924
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-787
- Affected product: Microsoft Internet Explorer
- Published:
- Last modified:
Description
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
CVE-2019-1367: Internet Explorer Scripting Engine Memory Corruption Vulnerability
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2019-1367 is a remote code execution vulnerability residing in the scripting engine of Internet Explorer. The flaw stems from improper memory handling when the engine processes objects, enabling an attacker to achieve arbitrary code execution in the context of the current user.
Background
In September 2019, Microsoft disclosed a critical memory corruption issue affecting the scripting engine shipped with multiple versions of Internet Explorer. Because Internet Explorer remains a core component in several enterprise environments and is deeply integrated with the Windows operating system, vulnerabilities in its rendering and scripting stack carry broad attack-surface implications even on systems where the browser is not the default.
Root Cause
The underlying weakness is classified as CWE-787: Out-of-bounds Write. The scripting engine fails to properly validate boundaries when handling objects in memory. Consequently, an attacker can trigger a write outside the intended buffer boundary, corrupting adjacent memory structures and hijacking control flow. This class of bug is typical in legacy COM-based scripting engines where complex object lifetime management and legacy memory allocators interact.
Impact
Microsoft assigned this vulnerability a CVSS v2 score of 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) and a CVSS v3.1 score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). The metrics reflect that while exploitation requires high attack complexity and user interaction—typically convincing a victim to visit a malicious web page or open a crafted HTML e-mail attachment—successful exploitation grants complete control over confidentiality, integrity, and availability within the victim user's security context. In enterprise settings where users possess local administrator privileges, this can rapidly escalate to full system compromise.
Exploitation Walkthrough
Defensive Perspective Only — No Weaponized Code
Attackers typically embed malicious scripts inside specially crafted web pages or HTML documents delivered through phishing e-mails, compromised legitimate sites, or malicious advertisements. When a victim opens the content in a vulnerable Internet Explorer version, the scripting engine processes malformed objects that trigger the out-of-bounds write. Corrupting memory structures such as virtual function tables or heap metadata allows redirection of execution to attacker-controlled shellcode.
Ethics Caveat: The details above are intentionally generic. Security practitioners should use this understanding to improve detection and patching priorities, not to construct or distribute working exploits.
Affected and Patched Versions
The vulnerability affects Internet Explorer 9, 10, and 11 running on a wide range of Windows platforms, including:
- Windows 7 SP1
- Windows 8.1 and Windows RT 8.1
- Windows 10 (versions 1607, 1703, 1709, 1803, 1809, 1903)
- Windows Server 2008 SP2 and R2 SP1
- Windows Server 2012 and 2012 R2
- Windows Server 2016
- Windows Server 2019
Microsoft released security updates addressing this flaw in their September 2019 Patch Tuesday release. Specific patch levels correspond to the cumulative updates available through Microsoft Update and the Microsoft Security Response Center advisory.
Remediation
- Apply Microsoft Security Updates: Install the relevant September 2019 (or later) cumulative security updates for Internet Explorer and the underlying Windows platform.
- Disable Internet Explorer Where Possible: Organizations should accelerate migration to Microsoft Edge or other supported browsers and disable Internet Explorer via Windows Features where business compatibility allows.
- Application Whitelisting: Enforce application control policies to prevent unauthorized browser processes or scripting hosts from executing.
- User Account Control: Ensure users operate with standard rather than administrative privileges to reduce the impact of successful exploitation.
- E-mail Filtering: Block HTML attachments and restrict active content in e-mails at the gateway level.
Detection
Defenders can monitor for:
- Unexpected crashes in
iexplore.exeormshtml.dllfollowed by anomalous child processes. - Suspicious script execution inside Internet Explorer originating from untrusted zones or temporary internet files.
- Network connections from
iexplore.exeto rare or newly registered domains immediately after rendering HTML content. - Endpoint detection rules targeting memory-corruption indicators in legacy Trident/MSHTML components.
Assessment
With an EPSS score of 0.52729 (approximately 52.7% probability of exploitation in the wild) and a percentile ranking near 98.8%, this vulnerability sits in the highest risk tier. Its inclusion in the CISA Known Exploited Vulnerabilities catalog and the EU Exploited Vulnerabilities Database (since November 2021) confirms active, real-world exploitation. The high EPSS combined with confirmed KEV status means this flaw should be treated as an existential patch priority for any environment still running affected Internet Explorer versions.
Key Lessons:
- Legacy browser stacks accumulate critical debt. Even browsers relegated to "compatibility mode" can expose the entire host to RCE when used to render untrusted content.
- EPSS and KEV together sharpen triage. A CVSS 7.5 alone might not trigger emergency patching in every organization, but an EPSS above 0.5 and active KEV status removes any ambiguity about urgency.
References
Frequently asked questions
- What is CVE-2019-1367?
- A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
- How severe is CVE-2019-1367?
- CVE-2019-1367 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-1367 being actively exploited?
- Yes. CVE-2019-1367 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-1367?
- CVE-2019-1367 primarily affects Microsoft Internet Explorer. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-1367?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-1367 have an EU (EUVD) identifier?
- Yes. CVE-2019-1367 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-9924. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2019-1367 published?
- CVE-2019-1367 was published on 2019-09-23 and last updated on 2026-06-17.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1367
Affected products (3)
- cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Internet Explorer
- CVE-2014-1764 — Critical (CVSS 10.0): Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code and bypass a sandbox…
- CVE-2014-1763 — Critical (CVSS 10.0): Use-after-free vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary…
- CVE-2010-1118 — Critical (CVSS 10.0): Unspecified vulnerability in Internet Explorer 8 on Microsoft Windows 7 allows remote attackers to execute arbitrary…
- CVE-2009-1918 — Critical (CVSS 10.0): Microsoft Internet Explorer 5.01 SP4 and 6 SP1; Internet Explorer 6 for Windows XP SP2 and SP3 and Server 2003 SP2; and…
- CVE-2009-1043 — Critical (CVSS 10.0): Unspecified vulnerability in Microsoft Internet Explorer 8 on Windows 7 allows remote attackers to execute arbitrary…
- CVE-2007-3341 — Critical (CVSS 10.0): Unspecified vulnerability in the FTP implementation in Microsoft Internet Explorer allows remote attackers to "see a…
All CVEs affecting Microsoft Internet Explorer →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…