CVE-2021-26411

CVE-2021-26411 is a high-severity vulnerability in Microsoft Edge with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-416.

Key facts

Description

Internet Explorer Memory Corruption Vulnerability

CVE-2021-26411: Internet Explorer Use-After-Free Memory Corruption (CISA KEV)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2021-26411
CWE CWE-416: Use After Free
CVSS v3.1 8.8 (HIGH) — AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
CVSS v2 5.1 — AV:N/AC:H/Au:N/C:P/I:P/A:P
EPSS 81.10% (0.99588 percentile)
CISA KEV Added 2021-11-03
EUVD EUVD-2021-13217
Published 2021-03-11
Source Microsoft MSRC / NVD

Summary

CVE-2021-26411 is a use-after-free (UAF) vulnerability in Internet Explorer's scripting engine. A remote attacker can trigger memory corruption by convincing a user to visit a malicious web page or open a specially crafted document that instantiates the IE rendering engine. Successful exploitation grants code execution within the context of the current user. The vulnerability carries a CVSS v3.1 score of 8.8 (HIGH) and has been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog since November 2021, indicating confirmed active exploitation in the wild.

Background

In March 2021, Microsoft released its monthly Patch Tuesday updates addressing multiple security flaws in Windows, Edge (Legacy), and Internet Explorer. Among these was CVE-2021-26411, a memory corruption bug rooted in the way Internet Explorer's JavaScript / scripting engine manages object lifecycles. The flaw was later added to CISA's KEV catalog in November 2021 after evidence of active exploitation emerged. With an EPSS score of 81.10% (99.6th percentile), this CVE sits in the highest tier of observed exploitation probability.

Root Cause

The vulnerability is classified under CWE-416: Use After Free.

In Internet Explorer's rendering engine, certain DOM or JavaScript objects are allocated on the heap and referenced by multiple pointers during page parsing and script execution. Under specific sequences of object creation, property access, and garbage-collection events, an object can be freed while a stale pointer still references it. When that stale pointer is later dereferenced—often through a callback, event handler, or re-assignment—the result is an out-of-bounds or controlled heap access. Because modern Windows builds include mitigations such as Control Flow Guard (CFG) and ASLR, reliable exploitation typically requires additional primitives; however, threat actors have demonstrated in-the-wild success against unpatched or partially mitigated targets.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L translates to the following real-world risk profile:

  • Attack Vector (Network): Exploitable remotely without local network access.
  • Attack Complexity (Low): No special conditions or race-winning required for the base trigger.
  • Privileges Required (None): The attacker does not need an account on the target system.
  • User Interaction (Required): The victim must perform an action such as opening a link or document.
  • Scope (Changed): Impact extends beyond the vulnerable component (IE/Edge) into the broader process or system context.
  • Confidentiality (Low): Limited data exposure; however, paired with code execution this can escalate.
  • Integrity (High): Complete compromise of process integrity; attacker can alter execution flow.
  • Availability (Low): Localized disruption; the primary risk is code execution rather than denial of service.

The Integrity impact is rated High because successful exploitation yields arbitrary code execution within the security context of the logged-on user. If that user holds administrative privileges, the attacker can take full control of the affected system.

Exploitation Walkthrough

Ethics & Legal Notice: The following description is provided for defensive and educational purposes only. Reproducing attack techniques against systems without explicit authorization is illegal and unethical.

A typical exploitation chain for this class of UAF in Internet Explorer involves the following phases:

  1. Delivery: The attacker embeds a malicious HTML/JavaScript payload in a web page, email attachment, or Office document that loads the IE engine via WebBrowser control or legacy compatibility modes.
  2. Heap Grooming: The payload allocates and frees objects of controlled sizes to shape the heap layout, increasing the probability that the freed object's slot will be reoccupied by attacker-controlled data.
  3. UAF Trigger: The script performs a sequence of DOM manipulations or JavaScript operations that cause the scripting engine to free an object while retaining a stale reference.
  4. Type Confusion / Controlled Write: The stale reference is later used to overwrite a vtable pointer, object length field, or adjacent metadata, redirecting execution to attacker-supplied shellcode or a ROP chain.
  5. Payload Execution: The shellcode executes within the IE process context. From there, the attacker may inject into other processes, establish persistence, or exfiltrate data.

No working exploit code is provided here. Defenders should focus on patching, detection, and attack-surface reduction rather than attempting to reproduce weaponized chains.

Affected and Patched Versions

Affected products (based on CPE data from NVD):

  • Microsoft Internet Explorer 9
  • Microsoft Internet Explorer 11
  • Microsoft Edge (Legacy, EdgeHTML-based)
  • Windows 7 SP1
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10 (1507, 1607, 1803, 1809, 1909, 2004, 20H2)
  • Windows Server 2008 SP2
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Patched versions: Microsoft released security updates on March 9, 2021 as part of the monthly Patch Tuesday cycle. Specific KB articles vary by Windows version and are documented in the Microsoft Security Response Center advisory. Systems patched on or after that date are no longer vulnerable.

Remediation

  1. Apply Microsoft Security Updates: Install the March 2021 (or later) cumulative/security updates for all affected Windows and IE/Edge versions. Prioritize internet-facing workstations and systems processing untrusted documents.
  2. Disable Internet Explorer 11: Microsoft has retired Internet Explorer 11 on most modern Windows versions. Where feasible, disable IE11 via Windows Features or Group Policy to eliminate the attack surface entirely.
  3. Migrate to Microsoft Edge (Chromium): Replace Edge Legacy and IE-dependent workflows with the Chromium-based Microsoft Edge, which is not affected by this vulnerability and receives continuous security updates.
  4. Enable Attack Surface Reduction (ASR) Rules: In Microsoft Defender for Endpoint, enable ASR rules that block Office applications from creating child processes and that block executable content from email clients and webmail.
  5. Application Control: Use Windows Defender Application Control (WDAC) or AppLocker to restrict execution of untrusted or unsigned code, limiting the impact of successful exploitation.
  6. Network Segmentation: Isolate legacy systems that still require IE for compatibility reasons; prevent them from accessing untrusted internet sites or email.

Detection

  • Endpoint Detection: Monitor for Internet Explorer (iexplore.exe) spawning unusual child processes (PowerShell, cmd.exe, wscript, cscript, or unsigned binaries) from user document directories or temporary internet files.
  • Memory Anomalies: EDR platforms with memory-protection capabilities should flag heap-spray patterns, ROP chain construction, or CFG bypass attempts inside IE processes.
  • Network Indicators: Proxy and DNS logs may reveal short-lived callbacks to attacker infrastructure after a user opens a suspicious link or attachment.
  • Microsoft Defender for Endpoint: Review alerts related to exploit protection triggers, ASR rule blocks, or behavior-based detections tied to browser exploitation.
  • Threat Intelligence Feeds: Correlate internal activity with CISA KEV and EUVD-2021-13217 indicators to prioritize incident-response activities.

Assessment

CVE-2021-26411 is a high-severity, actively exploited vulnerability that should be treated as an immediate patching priority on any system still running Internet Explorer or Edge Legacy. The EPSS score of 81.10% places it in the top 0.5% of observed CVEs by exploitation likelihood, and its presence on the CISA KEV catalog since November 2021 confirms that threat actors have operationalized it in real campaigns.

Key lessons:

  1. Retire legacy browsers promptly. This vulnerability exemplifies why running outdated rendering engines (IE9, IE11, Edge Legacy) creates disproportionate risk. Organizations that had already migrated to modern Chromium-based browsers or disabled IE were not exposed.
  2. KEV + EPSS = prioritization gold. A CVSS 8.8 score alone signals "patch soon," but the combination of 81% EPSS and active KEV status should trigger emergency change-control processes. Defenders should integrate both metrics into vulnerability-management SLAs.

References

Frequently asked questions

What is CVE-2021-26411?
Internet Explorer Memory Corruption Vulnerability
How severe is CVE-2021-26411?
CVE-2021-26411 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity high, and availability low.
Is CVE-2021-26411 being actively exploited?
Yes. CVE-2021-26411 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-26411?
CVE-2021-26411 primarily affects Microsoft Edge. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-26411?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-26411 have an EU (EUVD) identifier?
Yes. CVE-2021-26411 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13217. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-26411 published?
CVE-2021-26411 was published on 2021-03-11 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Microsoft Edge

All CVEs affecting Microsoft Edge →

Other CWE-416 (Use After Free) vulnerabilities

Browse all CWE-416 (Use After Free) vulnerabilities →