CVE-2021-26419
published 2021-05-11CVE-2021-26419: Scripting Engine Memory Corruption Vulnerability Scripting Engine Memory Corruption Vulnerability
high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EPSS
22.60%
97.4th percentile
Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer_11 | >= 1.0.0 < 10.0.14393.4401 | 10.0.14393.4401 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 10.0.17134.2207 | 10.0.17134.2207 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 10.0.17763.1935 | 10.0.17763.1935 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 10.0.18363.1556 | 10.0.18363.1556 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 10.0.19041.982 | 10.0.19041.982 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 10.0.10240.18931 | 10.0.10240.18931 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 6.1.7601.24597 | 6.1.7601.24597 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 6.1 | 6.1 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 6.3.9600.20017 | 6.3.9600.20017 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 6.3.9600.20016 | 6.3.9600.20016 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 6.2.9200.23347 | 6.2.9200.23347 |
| microsoft | internet_explorer_11 | >= 1.0.0 < 6.2 | 6.2 |
| microsoft | internet_explorer_9 | >= 1.0.0 < 6.0.6003.21117 | 6.0.6003.21117 |
| microsoft | internet_explorer_9 | >= 1.0.0 < 6.0 | 6.0 |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
cvelistv57.5HIGH
vendor_msrc6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
Fuzzing Closed-Source JavaScript Engines with Coverage Feedback - Project Zero
project_zero·2021-09-01
CVE-2021-26419 Fuzzing Closed-Source JavaScript Engines with Coverage Feedback - Project Zero
Posted by Ivan Fratric, Project Zero
tl;dr I combined Fuzzilli (an open-source JavaScript engine fuzzer), with TinyInst (an open-source dynamic instrumentation library for fuzzing). I also added grammar-based mutation support to Jackalope (my black-box binary fuzzer). So far, these two approaches resulted in finding three security issues in jscript9.dll (default JavaScript engine used by Internet Explorer).Introduction or “when you can’t beat them, join them”
In the past, I’ve invested a lot of time in generation-based fuzzing, which was a successful way to find vulnerabilities in various targets, especially those that take some form of language as input. For example, Domato, my grammar-based generational fuzzer, found over 40 vulnerabilities in WebKit and numerous bugs in Jscript.
CVEList
Scripting Engine Memory Corruption Vulnerability
cvelistv5·2021-05-11·CVSS 7.5
CVE-2021-26419 [HIGH] Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability
Microsoft
Scripting Engine Memory Corruption Vulnerability
vendor_msrc·2021-05-11·CVSS 6.4
CVE-2021-26419 [HIGH] Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.
The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
Internet Explorer: Internet Explorer
No detection rules found.
No public exploits indexed.
Trendmicro
May Patch Tuesday Offers Relative Respite
blogs_trendmicro·2021-05-11·CVSS 9.8
[CRITICAL] May Patch Tuesday Offers Relative Respite
Ausnutzung von Schwachstellen
## May Patch Tuesday Offers Relative Respite
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical.
By: Trend Micro May 11, 2021 Read time: ( words)
Save to Folio
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical. One fell under the rarely used Moderate category, while the remaining 50 were classified as Important. A significant number of these vulnerabilities — 13 in total — were submitted via the Zero Day Initiative (ZDI).
Critical Vulnerabilities: HTTP Protocol Stack Vulnerability
The mo
Krebs
Microsoft Patch Tuesday, May 2021 Edition
blogs_krebs·2021-05-11·CVSS 7.5
[HIGH] Microsoft Patch Tuesday, May 2021 Edition
Microsoft today released fixes to plug at least 55 security holes in its Windows operating systems and other software. Four of these weaknesses can be exploited by malware and malcontents to seize complete, remote control over vulnerable systems without any help from users. On deck this month are patches to quash a wormable flaw, a creepy wireless bug, and yet another reason to call for the death of Microsoft’s Internet Explorer (IE) web browser.
While May brings about half the normal volume of updates from Microsoft, there are some notable weaknesses that deserve prompt attention, particularly from enterprises. By all accounts, the most pressing priority this month is CVE-2021-31166 , a Windows 10 and Windows Server flaw which allows an unauthenticated attacker to remotely execute malici
Qualys
Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical
blogs_qualys·2021-05-11·CVSS 9.9
CVE-2021-31181 [CRITICAL] Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical
## Microsoft Patch Tuesday – May 2021
Microsoft patched 55 CVEs in their May 2021 Patch Tuesday release, of which 4 are rated as critical severity. Three 0-day vulnerability patches were included in the release. As of this publication date, none have been exploited.
Qualys released 12 QIDs on the same day, providing vulnerability detection and patch management coverage (where applicable) for all 55 CVEs and the related KBs.
## Critical Microsoft vulnerabilities patched:
CVE-2021-31181 – SharePoint Remote Code Execution Vulnerability
Microsoft released patches addressing a critical RCE vulnerability in SharePoint (CVE-2021-31181). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.
CVE-2021-31166 – HTTP Protocol Stack Remote Code
Trendmicro
May Patch Tuesday Offers Relative Respite
blogs_trendmicro·2021-05-11·CVSS 9.8
[CRITICAL] May Patch Tuesday Offers Relative Respite
Exploits & Vulnerabilities
# May Patch Tuesday Offers Relative Respite
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical.
By: Trend Micro
2021/05/11
Read time: ( words)
Save to Folio
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical. One fell under the rarely used Moderate category, while the remaining 50 were classified as Important. A significant number of these vulnerabilities — 13 in total — were submitted via the Zero Day Initiative (ZDI).
Critical Vulnerabilities: HTTP Protocol Stack Vulnerability
The most se
Trendmicro
May Patch Tuesday Offers Relative Respite
blogs_trendmicro·2021-05-11·CVSS 9.8
[CRITICAL] May Patch Tuesday Offers Relative Respite
Sfruttamento vulnerabilità
## May Patch Tuesday Offers Relative Respite
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical.
By: Trend Micro May 11, 2021 Read time: ( words)
Save to Folio
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical. One fell under the rarely used Moderate category, while the remaining 50 were classified as Important. A significant number of these vulnerabilities — 13 in total — were submitted via the Zero Day Initiative (ZDI).
Critical Vulnerabilities: HTTP Protocol Stack Vulnerability
The most
Talos
Microsoft Patch Tuesday for May 2021 — Snort rules and prominent vulnerabilities
blogs_talos·2021-05-11·CVSS 7.5
[HIGH] Microsoft Patch Tuesday for May 2021 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Chris Neal.
Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities across its suite of products, the fewest in any month since January 2020.
There are only three critical vulnerabilities patched in this month, while two are of “moderate” severity and the rest are “important.” All three critical vulnerabilities, however, are considered "more likely” to be exploited, according to Microsoft.
This month’s security update provides patches for several major pieces of software, including Microsoft Office, SharePoint and Windows’ wireless networking. For a full rundown of these CVEs, head to Microsoft’s security update page.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilitie
Trendmicro
May Patch Tuesday Offers Relative Respite
blogs_trendmicro·2021-05-11·CVSS 9.8
[CRITICAL] May Patch Tuesday Offers Relative Respite
Exploits & Vulnerabilities
## May Patch Tuesday Offers Relative Respite
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical.
By: Trend Micro May 11, 2021 Read time: ( words)
Save to Folio
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical. One fell under the rarely used Moderate category, while the remaining 50 were classified as Important. A significant number of these vulnerabilities — 13 in total — were submitted via the Zero Day Initiative (ZDI).
Critical Vulnerabilities: HTTP Protocol Stack Vulnerability
The most
Trendmicro
May Patch Tuesday Offers Relative Respite
blogs_trendmicro·2021-05-11·CVSS 9.8
[CRITICAL] May Patch Tuesday Offers Relative Respite
Exploits & Vulnerabilities
## May Patch Tuesday Offers Relative Respite
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical.
By: Trend Micro 2021/05/11 Read time: ( words)
Save to Folio
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical. One fell under the rarely used Moderate category, while the remaining 50 were classified as Important. A significant number of these vulnerabilities — 13 in total — were submitted via the Zero Day Initiative (ZDI).
Critical Vulnerabilities: HTTP Protocol Stack Vulnerability
The most se
Krebs
Microsoft Patch Tuesday, May 2021 Edition
blogs_krebs·2021-05-11·CVSS 7.5
[HIGH] Microsoft Patch Tuesday, May 2021 Edition
Microsoft today released fixes to plug at least 55 security holes in its Windows operating systems and other software. Four of these weaknesses can be exploited by malware and malcontents to seize complete, remote control over vulnerable systems without any help from users. On deck this month are patches to quash a wormable flaw, a creepy wireless bug, and yet another reason to call for the death of Microsoft’s Internet Explorer (IE) web browser.
While May brings about half the normal volume of updates from Microsoft, there are some notable weaknesses that deserve prompt attention, particularly from enterprises. By all accounts, the most pressing priority this month is CVE-2021-31166, a Windows 10 and Windows Server flaw which allows an unauthenticated attacker to remotely execute malicio
Trendmicro
May Patch Tuesday Offers Relative Respite
blogs_trendmicro·2021-05-11·CVSS 9.8
[CRITICAL] May Patch Tuesday Offers Relative Respite
Exploits y vulnerabilidades
## May Patch Tuesday Offers Relative Respite
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical.
By: Trend Micro May 11, 2021 Read time: ( words)
Save to Folio
Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical. One fell under the rarely used Moderate category, while the remaining 50 were classified as Important. A significant number of these vulnerabilities — 13 in total — were submitted via the Zero Day Initiative (ZDI).
Critical Vulnerabilities: HTTP Protocol Stack Vulnerability
The most
Zscaler
Zscaler patched IE & MS Windows Vulnerabilities | 05-12-2021
blogs_zscaler·CVSS 7.5
[HIGH] Zscaler patched IE & MS Windows Vulnerabilities | 05-12-2021
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Crowdstrike
May 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] May 2021 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
May 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] May 2021 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2021-05-11
Published