Search
On this page ▾
CVE-2017-0037 — Microsoft Edge and Internet Explorer Type Confusion Vulnerability

CVE-2017-0037

Microsoft Edge / Internet Explorer — mshtml.dll Type Confusion Enables Remote Code Execution via Malicious Web Page; Patched MS17-007 (March 2017)
⚠️ CVSS 3.1  8.1 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Are Microsoft Edge and Internet Explorer?

Microsoft Edge (legacy EdgeHTML-based) and Internet Explorer are Microsoft's Windows web browsers. Both browsers use the mshtml.dll rendering engine (Trident) for HTML/CSS parsing and layout, and both execute JavaScript via their respective engines (Chakra for Edge, JScript for IE). The mshtml.dll rendering engine — shared between IE and legacy Edge — has been a persistent source of type confusion and memory corruption vulnerabilities due to the complexity of processing HTML, CSS, JavaScript DOM interactions, and the legacy compatibility requirements of a codebase that has evolved for decades.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 28, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-0037 is a type confusion vulnerability in the mshtml.dll rendering engine shared by Microsoft Edge and Internet Explorer that allows remote code execution when a user visits a malicious web page. The mshtml.dll engine maintains internal type information about DOM objects; this vulnerability allows a specially crafted HTML/script combination to cause the engine to access a DOM object using incorrect type semantics, enabling arbitrary read/write in the browser process and code execution. Patched in MS17-007 (March 14, 2017). CISA added CVE-2017-0037 to the KEV catalog in March 2022.

Affected Versions

Software Status
Internet Explorer 11 on Windows (pre-March 2017) Vulnerable
Microsoft Edge on Windows 10 (pre-March 2017) Vulnerable
Both with MS17-007 / March 2017 cumulative update Fixed

Technical Details

Root Cause: mshtml.dll Type Confusion

CVE-2017-0037 is a type confusion vulnerability (CWE-843) in mshtml.dll — the rendering engine that processes HTML documents and exposes the DOM to JavaScript in Internet Explorer and legacy Edge. The rendering engine manages many internal object types for DOM elements (HTMLElement, HTMLInputElement, HTMLAnchorElement, etc.) and maintains type metadata used for type-safe method dispatch and property access.

Type confusion mechanism: A type confusion vulnerability in a rendering engine occurs when the engine treats a DOM object as a different type than it actually is:

  1. Attacker crafts a web page — specific HTML/JavaScript interactions cause the rendering engine to maintain inconsistent type information for a DOM object
  2. Type metadata is corrupted or inconsistent — the rendering engine stores a reference to the object with incorrect type information
  3. Wrong-type access — when the object is accessed as the wrong type, method dispatch or property access interprets the object's data fields according to the wrong type layout
  4. Read/write primitive — this type mismatch provides an attacker with the ability to read/write memory at attacker-controlled offsets from the object base address
  5. Code execution — the read/write primitive is used to overwrite a function pointer or code pointer within the browser process, redirecting execution

AC:H — High Complexity

The CVSS AC:H (Attack Complexity: High) indicates exploitation requires specific conditions beyond simply visiting a malicious page — likely specific browser version or state, a particular scripting interaction sequence, or a race condition in the rendering engine. Despite AC:H, the vulnerability was observed in active exploitation, indicating reliable exploitation is achievable with sufficient engineering.

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious web page in IE or Edge
User Interaction None required (AC:H, UI:N)
Authentication None required
Affected Component mshtml.dll (shared IE/Edge rendering engine)
Impact Remote code execution in browser process

Discovery

Disclosed by an external researcher via coordinated disclosure; patched in MS17-007 (March 2017 Patch Tuesday) alongside other Edge and Internet Explorer scripting engine vulnerabilities.

Exploitation Context

  • mshtml.dll as recurring target: The mshtml.dll rendering engine, used by both IE and legacy Edge, has been one of the most exploited Windows components for browser-based code execution; its legacy codebase, complex object type system, and compatibility requirements create a large attack surface
  • Exploit kit incorporation: mshtml.dll type confusion vulnerabilities were systematically incorporated into exploit kits for drive-by malware delivery; RIG and Magnitude exploit kits updated to include MS17-007-fixed vulnerabilities rapidly after disclosure
  • Enterprise IE exposure: Internet Explorer remained widely deployed in enterprise environments for intranet compatibility through 2017; CVE-2017-0037 was exploitable against enterprise users forced to use IE for internal web applications
  • CISA KEV (2022): Added March 2022 reflecting documented exploitation of this mshtml.dll type confusion in active attack campaigns

Remediation

CISA BOD 22-01 Deadline: April 18, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS17-007 — install the March 2017 Edge/Internet Explorer security update via Windows Update or WSUS. All subsequent Windows cumulative updates include this fix.

  2. Migrate from Internet Explorer — Microsoft ended Internet Explorer 11 desktop support on June 15, 2022; migrate to Microsoft Edge (Chromium), Chrome, or Firefox to eliminate the legacy mshtml.dll attack surface.

  3. Migrate from legacy Edge (EdgeHTML) — the legacy EdgeHTML-based Edge was replaced by Chromium-based Edge in 2020; update to current Chromium-based Edge for a modern, actively maintained browser.

  4. Keep Windows fully updated — cumulative updates include all prior IE/Edge security patches.

Key Details

PropertyValue
CVE ID CVE-2017-0037
Vendor / Product Microsoft — Edge and Internet Explorer
NVD Published2017-02-26
NVD Last Modified2025-10-22
CVSS 3.1 Score8.1
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-843 — Access of Resource Using Incompatible Type ('Type Confusion') find similar ↗
CISA KEV Added2022-03-28
CISA KEV Deadline2022-04-18
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-04-18. Apply updates per vendor instructions.

Timeline

DateEvent
2017-02-26CVE-2017-0037 published by NVD (before patch, reflecting prior coordinated disclosure)
2017-03-14Microsoft releases MS17-007 patching CVE-2017-0037 (Edge/IE type confusion in mshtml.dll)
2022-03-28Added to CISA Known Exploited Vulnerabilities catalog
2022-04-18CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-0037 Vulnerability Database
CISA KEV Catalog Entry US Government
MS17-007 — Security Update for Microsoft Edge (March 2017) Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML