cbcvebase.
CVE-2014-4138
published 2014-10-15

CVE-2014-4138: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.24%
98.1th percentile
Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-4130 and CVE-2014-4132.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

processMSHTML!CPasteCommand::ConvertBitmaptoPng
filenameRepro.svg
commanddocument.execCommand("Paste", false)
  • Detect SVG files delivered via web that invoke designMode + execCommand Copy/Paste sequence in JavaScript, which triggers the CPasteCommand::ConvertBitmaptoPng heap overflow in MSHTML on IE11.
  • The vulnerable code path allocates memory using uBitmapSize but reads *puPngImageSize bytes into it; monitor for heap corruption in MSHTML when PNG output is larger than BMP input during clipboard paste operations.
  • Flag web pages that programmatically invoke document.designMode='on' combined with execCommand Copy and Paste calls, as this is the trigger mechanism for CVE-2014-4138 exploitation.
  • Look for the assembly address sequence at 6f3818fd (MSHTML) and the vulnerable allocation call at 6f38199d (TSmart­Array::New with uBitmapSize) as crash/exploit indicators in IE11 memory dumps.
  • ·The assembly addresses (e.g., 6f3818fd, 6f38199d) are specific to the MSHTML.dll version analyzed and may differ across patch levels or system configurations.
  • ·The exploit requires scripting to be enabled in the browser zone; disabling scripts prevents the programmatic copy/paste trigger, though social engineering via keyboard shortcuts remains a residual risk.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.