Cyber Resilience

CVE-2017-0149

HighCISA KEVActive ExploitationEUVD Exploited

Published: 17 March 2017

Published
17 March 2017
Modified
22 April 2026
KEV Added
24 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3399 97.1th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-0149 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-3 (Malicious Code Protection).

Deeper analysis

Microsoft Internet Explorer versions 9 through 11 are affected by a memory corruption vulnerability tracked as CVE-2017-0149 and assigned CWE-787. The flaw permits remote attackers to trigger arbitrary code execution or a denial of service condition when a user visits a specially crafted web site. It is distinct from the issues described in CVE-2017-0018 and CVE-2017-0037, and carries a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, no required privileges, and required user interaction.

An attacker can host or compromise a web site containing malicious content that exploits the memory corruption when rendered by a vulnerable IE instance. Successful exploitation grants the ability to execute arbitrary code in the context of the current user or to crash the browser, with confidentiality, integrity, and availability impacts all rated high.

Microsoft published an advisory for CVE-2017-0149 through its Security Response Center portal that addresses the issue and provides guidance for affected customers. No information on observed in-the-wild exploitation is supplied in the available references.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 9 through 11 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." This vulnerability is different from those described in…

more

CVE-2017-0018 and CVE-2017-0037.

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory protections that block exploitation of out-of-bounds write flaws such as CWE-787 in IE rendering.

prevent

Requires malicious-code detection and blocking mechanisms that can stop the crafted web content before IE processes it.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes mobile code (scripts, active content) delivered by web sites, limiting the attack vector used by this IE exploit.

References