Cyber Resilience

CVE-2018-8653

HighCISA KEVActive ExploitationEUVD Exploited

Published: 20 December 2018

Published
20 December 2018
Modified
29 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3557 97.2th percentile
Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-8653 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A remote code execution vulnerability exists in the scripting engine's handling of objects in memory within Internet Explorer, resulting in memory corruption classified under CWE-787. The issue affects Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11, and is distinct from the related CVE-2018-8643. It carries a CVSS 3.1 score of 7.5 reflecting network attack vector, high attack complexity, no required privileges, and required user interaction.

An unauthenticated remote attacker can exploit the flaw by serving malicious content that triggers the memory corruption when rendered in a vulnerable IE instance. Successful exploitation grants the ability to execute arbitrary code with the privileges of the current user, potentially leading to full confidentiality, integrity, and availability impacts on the affected system.

Microsoft's security advisory and the CISA Known Exploited Vulnerabilities catalog reference available patches and mitigations for this issue, confirming observed real-world exploitation activity.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID…

more

is unique from CVE-2018-8643.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that Microsoft released to correct the scripting-engine memory corruption in IE 9/10/11.

prevent

Enforces OS- and browser-level memory protections (ASLR, DEP, etc.) that block the out-of-bounds write (CWE-787) needed for successful RCE.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes mobile code (scripts) rendered by the IE scripting engine, limiting the attack surface for the malicious content that triggers CVE-2018-8653.

References