Cyber Resilience

CVE-2018-8373

HighCISA KEVActive ExploitationEUVD Exploited

Published: 15 August 2018

Published
15 August 2018
Modified
28 October 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8249 99.3th percentile
Risk Priority 84 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-8373 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A remote code execution vulnerability exists in the scripting engine's handling of objects in memory within Internet Explorer, resulting in memory corruption classified under CWE-787. The issue affects Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11, and is distinct from several related scripting engine flaws disclosed around the same time.

An attacker can exploit the flaw over the network without authentication by serving malicious content that triggers the memory corruption when rendered in a vulnerable browser instance. Successful exploitation requires user interaction such as visiting a crafted webpage and can yield full control over confidentiality, integrity, and availability on the target system, consistent with the CVSS 7.5 rating reflecting high attack complexity.

Microsoft published an advisory addressing CVE-2018-8373 along with related security bulletins that practitioners should consult for patch availability and configuration guidance. No information on observed in-the-wild exploitation is provided in the source references.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID…

more

is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that eliminate the scripting-engine memory-corruption flaw before exploitation.

prevent

Implements memory-protection safeguards that block the unauthorized code execution resulting from the out-of-bounds write (CWE-787) in the IE scripting engine.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and implementation guidance for mobile code (scripts) that can stop the malicious webpage content from reaching the vulnerable scripting engine.

References