Cyber Resilience

CVE-2015-2419

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 July 2015

Published
14 July 2015
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4953 97.9th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-2419 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2015-2419 is an out-of-bounds write vulnerability (CWE-787) in JScript 9 that affects Microsoft Internet Explorer 10 and 11. The flaw manifests as memory corruption when the scripting engine processes specially crafted web content, enabling either arbitrary code execution or a denial-of-service condition.

Remote attackers can exploit the issue by serving a malicious web page that triggers the corruption when rendered in a vulnerable browser instance. Because the attack requires only that a user visit the page, an unauthenticated adversary can achieve full control over the affected process or crash the browser, corresponding to the CVSS 8.8 rating that reflects network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

Microsoft addressed the vulnerability in security bulletin MS15-065, which supplies updated JScript 9 binaries for the affected IE versions. The bulletin and associated SecurityTracker entries emphasize applying the patches to eliminate the memory-safety defect.

The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation prior to and after the 2015 disclosure.

EU & UK References

Vulnerability details

JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "JScript9 Memory Corruption Vulnerability."

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (MS15-065) that eliminates the JScript9 out-of-bounds write.

prevent

Enforces memory-protection mechanisms that block the unauthorized writes exploited by the memory-corruption flaw.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes mobile code (JScript) delivered by untrusted web pages, limiting the attack surface.

References