Cyber Resilience

CVE-2016-0189

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 11 May 2016

Published
11 May 2016
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9080 99.6th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-0189 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a memory corruption flaw, tracked as CVE-2016-0189 and assigned CWE-787, that affects the Microsoft JScript 5.8 and VBScript 5.7/5.8 scripting engines used in Internet Explorer 9 through 11 and other products. It arises from improper handling of crafted content that can trigger out-of-bounds writes, distinct from the related CVE-2016-0187 issue.

Remote attackers can exploit the flaw by serving a malicious web page to a victim, achieving arbitrary code execution or a denial-of-service condition when the scripting engine processes the content. Successful exploitation requires user interaction such as visiting the site, consistent with the CVSS vector AV:N/AC:H/PR:N/UI:R.

Microsoft addressed the issue in security bulletins MS16-051 and MS16-053, which include patches for the affected JScript and VBScript components in Internet Explorer. Public exploit code for the vulnerability has been published.

EU & UK References

Vulnerability details

The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a…

more

crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0187.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
jscript
5.8
microsoft
vbscript
5.7, 5.8
microsoft
internet explorer
10, 11, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches in MS16-051/MS16-053 that eliminate the out-of-bounds write in the JScript/VBScript engines.

prevent

Establishes usage restrictions and configuration requirements for mobile code (JavaScript/VBScript) that is the attack vector for this crafted-web-page exploit.

prevent

Implements memory-protection mechanisms that can block the unauthorized code execution resulting from the CWE-787 out-of-bounds write.

References