CVE-2021-26411
CVE-2021-26411 is a high-severity vulnerability in Microsoft Edge with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-416.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 5.1
- EPSS exploit prediction: 81% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-13217
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-416
- Affected product: Microsoft Edge
- Published:
- Last modified:
Description
Internet Explorer Memory Corruption Vulnerability
CVE-2021-26411: Internet Explorer Use-After-Free Memory Corruption (CISA KEV)
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2021-26411 |
| CWE | CWE-416: Use After Free |
| CVSS v3.1 | 8.8 (HIGH) — AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L |
| CVSS v2 | 5.1 — AV:N/AC:H/Au:N/C:P/I:P/A:P |
| EPSS | 81.10% (0.99588 percentile) |
| CISA KEV | Added 2021-11-03 |
| EUVD | EUVD-2021-13217 |
| Published | 2021-03-11 |
| Source | Microsoft MSRC / NVD |
Summary
CVE-2021-26411 is a use-after-free (UAF) vulnerability in Internet Explorer's scripting engine. A remote attacker can trigger memory corruption by convincing a user to visit a malicious web page or open a specially crafted document that instantiates the IE rendering engine. Successful exploitation grants code execution within the context of the current user. The vulnerability carries a CVSS v3.1 score of 8.8 (HIGH) and has been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog since November 2021, indicating confirmed active exploitation in the wild.
Background
In March 2021, Microsoft released its monthly Patch Tuesday updates addressing multiple security flaws in Windows, Edge (Legacy), and Internet Explorer. Among these was CVE-2021-26411, a memory corruption bug rooted in the way Internet Explorer's JavaScript / scripting engine manages object lifecycles. The flaw was later added to CISA's KEV catalog in November 2021 after evidence of active exploitation emerged. With an EPSS score of 81.10% (99.6th percentile), this CVE sits in the highest tier of observed exploitation probability.
Root Cause
The vulnerability is classified under CWE-416: Use After Free.
In Internet Explorer's rendering engine, certain DOM or JavaScript objects are allocated on the heap and referenced by multiple pointers during page parsing and script execution. Under specific sequences of object creation, property access, and garbage-collection events, an object can be freed while a stale pointer still references it. When that stale pointer is later dereferenced—often through a callback, event handler, or re-assignment—the result is an out-of-bounds or controlled heap access. Because modern Windows builds include mitigations such as Control Flow Guard (CFG) and ASLR, reliable exploitation typically requires additional primitives; however, threat actors have demonstrated in-the-wild success against unpatched or partially mitigated targets.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L translates to the following real-world risk profile:
- Attack Vector (Network): Exploitable remotely without local network access.
- Attack Complexity (Low): No special conditions or race-winning required for the base trigger.
- Privileges Required (None): The attacker does not need an account on the target system.
- User Interaction (Required): The victim must perform an action such as opening a link or document.
- Scope (Changed): Impact extends beyond the vulnerable component (IE/Edge) into the broader process or system context.
- Confidentiality (Low): Limited data exposure; however, paired with code execution this can escalate.
- Integrity (High): Complete compromise of process integrity; attacker can alter execution flow.
- Availability (Low): Localized disruption; the primary risk is code execution rather than denial of service.
The Integrity impact is rated High because successful exploitation yields arbitrary code execution within the security context of the logged-on user. If that user holds administrative privileges, the attacker can take full control of the affected system.
Exploitation Walkthrough
Ethics & Legal Notice: The following description is provided for defensive and educational purposes only. Reproducing attack techniques against systems without explicit authorization is illegal and unethical.
A typical exploitation chain for this class of UAF in Internet Explorer involves the following phases:
- Delivery: The attacker embeds a malicious HTML/JavaScript payload in a web page, email attachment, or Office document that loads the IE engine via WebBrowser control or legacy compatibility modes.
- Heap Grooming: The payload allocates and frees objects of controlled sizes to shape the heap layout, increasing the probability that the freed object's slot will be reoccupied by attacker-controlled data.
- UAF Trigger: The script performs a sequence of DOM manipulations or JavaScript operations that cause the scripting engine to free an object while retaining a stale reference.
- Type Confusion / Controlled Write: The stale reference is later used to overwrite a vtable pointer, object length field, or adjacent metadata, redirecting execution to attacker-supplied shellcode or a ROP chain.
- Payload Execution: The shellcode executes within the IE process context. From there, the attacker may inject into other processes, establish persistence, or exfiltrate data.
No working exploit code is provided here. Defenders should focus on patching, detection, and attack-surface reduction rather than attempting to reproduce weaponized chains.
Affected and Patched Versions
Affected products (based on CPE data from NVD):
- Microsoft Internet Explorer 9
- Microsoft Internet Explorer 11
- Microsoft Edge (Legacy, EdgeHTML-based)
- Windows 7 SP1
- Windows 8.1
- Windows RT 8.1
- Windows 10 (1507, 1607, 1803, 1809, 1909, 2004, 20H2)
- Windows Server 2008 SP2
- Windows Server 2008 R2 SP1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Patched versions: Microsoft released security updates on March 9, 2021 as part of the monthly Patch Tuesday cycle. Specific KB articles vary by Windows version and are documented in the Microsoft Security Response Center advisory. Systems patched on or after that date are no longer vulnerable.
Remediation
- Apply Microsoft Security Updates: Install the March 2021 (or later) cumulative/security updates for all affected Windows and IE/Edge versions. Prioritize internet-facing workstations and systems processing untrusted documents.
- Disable Internet Explorer 11: Microsoft has retired Internet Explorer 11 on most modern Windows versions. Where feasible, disable IE11 via Windows Features or Group Policy to eliminate the attack surface entirely.
- Migrate to Microsoft Edge (Chromium): Replace Edge Legacy and IE-dependent workflows with the Chromium-based Microsoft Edge, which is not affected by this vulnerability and receives continuous security updates.
- Enable Attack Surface Reduction (ASR) Rules: In Microsoft Defender for Endpoint, enable ASR rules that block Office applications from creating child processes and that block executable content from email clients and webmail.
- Application Control: Use Windows Defender Application Control (WDAC) or AppLocker to restrict execution of untrusted or unsigned code, limiting the impact of successful exploitation.
- Network Segmentation: Isolate legacy systems that still require IE for compatibility reasons; prevent them from accessing untrusted internet sites or email.
Detection
- Endpoint Detection: Monitor for Internet Explorer (
iexplore.exe) spawning unusual child processes (PowerShell, cmd.exe, wscript, cscript, or unsigned binaries) from user document directories or temporary internet files. - Memory Anomalies: EDR platforms with memory-protection capabilities should flag heap-spray patterns, ROP chain construction, or CFG bypass attempts inside IE processes.
- Network Indicators: Proxy and DNS logs may reveal short-lived callbacks to attacker infrastructure after a user opens a suspicious link or attachment.
- Microsoft Defender for Endpoint: Review alerts related to exploit protection triggers, ASR rule blocks, or behavior-based detections tied to browser exploitation.
- Threat Intelligence Feeds: Correlate internal activity with CISA KEV and EUVD-2021-13217 indicators to prioritize incident-response activities.
Assessment
CVE-2021-26411 is a high-severity, actively exploited vulnerability that should be treated as an immediate patching priority on any system still running Internet Explorer or Edge Legacy. The EPSS score of 81.10% places it in the top 0.5% of observed CVEs by exploitation likelihood, and its presence on the CISA KEV catalog since November 2021 confirms that threat actors have operationalized it in real campaigns.
Key lessons:
- Retire legacy browsers promptly. This vulnerability exemplifies why running outdated rendering engines (IE9, IE11, Edge Legacy) creates disproportionate risk. Organizations that had already migrated to modern Chromium-based browsers or disabled IE were not exposed.
- KEV + EPSS = prioritization gold. A CVSS 8.8 score alone signals "patch soon," but the combination of 81% EPSS and active KEV status should trigger emergency change-control processes. Defenders should integrate both metrics into vulnerability-management SLAs.
References
Frequently asked questions
- What is CVE-2021-26411?
- Internet Explorer Memory Corruption Vulnerability
- How severe is CVE-2021-26411?
- CVE-2021-26411 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity high, and availability low.
- Is CVE-2021-26411 being actively exploited?
- Yes. CVE-2021-26411 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-26411?
- CVE-2021-26411 primarily affects Microsoft Edge. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-26411?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-26411 have an EU (EUVD) identifier?
- Yes. CVE-2021-26411 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13217. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-26411 published?
- CVE-2021-26411 was published on 2021-03-11 and last updated on 2026-06-17.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26411
Affected products (3)
- cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Edge
- CVE-2017-0028 — Critical (CVSS 9.8): A remote code execution vulnerability exists when Microsoft scripting engine improperly accesses objects in memory. The…
- CVE-2017-0252 — Critical (CVSS 9.8): A remote code execution vulnerability exists in Microsoft Chakra Core in the way JavaScript engines render when…
- CVE-2017-0223 — Critical (CVSS 9.8): A remote code execution vulnerability exists in Microsoft Chakra Core in the way JavaScript engines render when…
- CVE-2015-0313 — Critical (CVSS 9.8): Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows…
- CVE-2015-0311 — Critical (CVSS 9.8): Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on…
- CVE-2024-7971 — Critical (CVSS 9.6): Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a…
All CVEs affecting Microsoft Edge →
Other CWE-416 (Use After Free) vulnerabilities
- CVE-2026-13782 — Critical (CVSS 10.0): Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
- CVE-2026-4725 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149…
- CVE-2026-4688 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox…
- CVE-2025-24085 — Critical (CVSS 10.0): A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.3 and iPadOS 18.3,…
- CVE-2024-43102 — Critical (CVSS 10.0): Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of…
- CVE-2021-32495 — Critical (CVSS 10.0): Radare2 has a use-after-free vulnerability in pyc parser's get_none_object function. Attacker can read freed memory…