HighCISA KEVExploited in the wildPublic exploit

Scripting Engine Memory Corruption RCE in Internet Explorer

IdentifiersCVE-2019-1367CWE-416

CVE-2019-1367 is a remote code execution vulnerability in the legacy JScript scripting engine used by Internet Explorer 8, 9, 10, and 11. The issue is described as a memory corruption flaw in jscript.dll. Supporting content indicates the root cause is improper garbage-collector tracking of JScript VAR structures, specifically involving function arguments during an Array.sort callback, and that this bug class also involved abuse of the Enumerator object. When Internet Explorer processes attacker-controlled script content, the scripting engine can mishandle object lifetime in memory, leading to use-after-free style corruption and allowing arbitrary code execution in the context of the browser process.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote code execution in the context of Internet Explorer. An attacker can execute arbitrary code on the target system with the privileges of the current user. In practical attack chains, this can be used to install malware, launch follow-on payloads such as ransomware or espionage implants, access or modify user data, and establish further footholds. The content also notes active in-the-wild exploitation by threat actors including DarkHotel and Magnitude Exploit Kit.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable the legacy JScript engine (jscript.dll) as recommended by Microsoft, especially in environments where Internet Explorer compatibility mode may still invoke it. Reduce or eliminate Internet Explorer exposure, restrict use of IE compatibility mode, and prevent untrusted web content from being opened in IE. Running users without administrative privileges reduces post-exploitation impact. Additional compensating controls include browser isolation, application control, and network protections against malicious or compromised websites and malvertising chains.

Remediation

Patch, then assume compromise.

Apply Microsoft's security update for CVE-2019-1367. Because the vulnerable legacy jscript.dll could still be invoked through Internet Explorer compatibility mode, Microsoft also encouraged disabling jscript.dll where operationally feasible. Organizations should ensure Internet Explorer and affected Windows systems are fully patched and verify that legacy scripting engine invocation paths are no longer available.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationInternet Explorerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

confiant blogNews

Apr 14, 2026

Internet Explorer CVE-2019-1367 In the wild Exploitation - prelude

A remote code execution vulnerability in Internet Explorer's jscript.dll caused by improper garbage collection tracking of JScript variables/function arguments, actively exploited in the wild and used by both an APT and an exploit kit.

securelistNews

Sep 3, 2020

IT threat evolution Q2 2020

An Internet Explorer legacy JScript engine vulnerability exploited as a zero-day and later used by the Magnitude Exploit Kit to deliver payloads (including ransomware) via malvertising.

securelistNews

Apr 30, 2020

APT trends report Q1 2020

An Internet Explorer vulnerability (used here via a malicious script) exploited by the DarkHotel APT in a targeted, multi-stage infection chain to selectively deliver a final backdoor to high-value victims.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware6

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2019-1367

NVD

nvd.nist.gov/vuln/detail/CVE-2019-1367

MITRE CWE · CWE-416

cwe.mitre.org

Patch

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1367