Cyber Resilience

CVE-2019-1367

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 23 September 2019

Published
23 September 2019
Modified
29 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9070 99.6th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-1367 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-16 (Memory Protection).

Deeper analysis

A remote code execution vulnerability exists in the scripting engine's handling of objects in memory within Internet Explorer, classified as a memory corruption issue under CWE-787. This flaw, tracked as CVE-2019-1367 and distinct from CVE-2019-1221, carries a CVSS 3.1 score of 7.5 reflecting network attack vector, high attack complexity, no required privileges, and required user interaction.

An attacker can exploit the issue remotely by supplying specially crafted content that triggers the memory corruption when processed by the affected scripting engine in Internet Explorer, potentially resulting in arbitrary code execution with impacts to confidentiality, integrity, and availability.

Microsoft has published guidance through its Security Response Center addressing the vulnerability, and the flaw appears in CISA's catalog of known exploited vulnerabilities, indicating confirmed real-world exploitation activity.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory protection mechanisms that block the out-of-bounds write (CWE-787) exploitation path used by this scripting-engine RCE.

prevent

Restricts or sandbox-executes mobile code (IE scripting engine objects) so that specially crafted web content cannot achieve arbitrary code execution.

prevent

Requires timely application of the vendor patch that eliminates the memory-corruption flaw before an attacker-supplied page can trigger it.

References