CVE-2021-26411

What is Internet Explorer MSHTML?

Internet Explorer (IE) and the MSHTML (Trident) rendering engine have been embedded in Windows since the 1990s. Even as IE was deprecated (support ended June 2022), MSHTML remained installed on all Windows systems and was used by many Windows components, applications, and legacy enterprise software that embed the WebBrowser control. MSHTML processes HTML, JavaScript, and web content through jscript.dll, VBScript.dll, and related components. Memory corruption vulnerabilities in MSHTML allow attackers who can get users to open a malicious webpage or document to execute code in the browser's context — a reliable phishing and watering hole attack vector against Windows users.

Overview

CVE-2021-26411 is a use-after-free memory corruption vulnerability (CWE-416) in Internet Explorer's MSHTML rendering engine. It was exploited as a zero-day by North Korean state-sponsored threat actors (Lazarus Group / HIDDEN COBRA) in a sophisticated campaign targeting security researchers. The attackers built fake social media personas posing as security researchers, built rapport with real researchers, shared a malicious blog link, and exploited CVE-2021-26411 when the link was opened in Internet Explorer or Windows applications using MSHTML — delivering a custom backdoor. Microsoft patched this in March 2021 Patch Tuesday. CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in MSHTML — the IE rendering engine accesses a DOM object or HTML element after it has been freed; attacker-controlled JavaScript or HTML manipulates the IE object lifecycle to trigger the UAF, corrupting memory in the browser process
• Code execution via memory corruption: The UAF provides a heap corruption primitive; by controlling the freed memory's contents through script, the attacker achieves type confusion and ultimately code execution in the Internet Explorer process
• Scope: Changed (S:C): The CVSS S:C reflects that the IE sandbox (Protected Mode) is a security boundary that can be bypassed, or that MSHTML code execution affects resources outside the browser's normal scope — consistent with IE's lower isolation compared to modern browsers
• Lazarus Group targeting: North Korea's Lazarus APT constructed elaborate fake personas on Twitter and LinkedIn, built relationships with cybersecurity researchers over weeks, then shared a blog URL containing the CVE-2021-26411 exploit — when clicked in IE or IE-based applications, the exploit ran a custom backdoor without any further interaction
• Security researcher targeting significance: Targeting security researchers specifically aimed to steal their unpublished vulnerability research, exploit code, and other offensive security resources — giving North Korea access to additional zero-day capabilities discovered by the targeted researchers

Discovery

Google TAG published a report on January 25, 2021 documenting the North Korean targeting of security researchers using a browser zero-day — which was later confirmed to be CVE-2021-26411. Microsoft patched the vulnerability in March 2021 Patch Tuesday after Google TAG's disclosure.

Exploitation Context

The Lazarus Group security researcher campaign was notable for its sophisticated social engineering: fake researcher personas built credibility over weeks before delivering the exploit. The campaign targeted the global security research community — researchers who discover vulnerabilities in operating systems and browsers are among the most valuable intelligence targets for a state actor seeking to build offensive cyber capabilities. CVE-2021-26411 provided code execution against IE/MSHTML users, which remained widespread despite IE's deprecated status because many Windows applications embed MSHTML. The ransomwareUse flag reflects that MSHTML memory corruption vulnerabilities, once broadly available, were incorporated into ransomware delivery chains.

Remediation

1. Apply March 2021 Patch Tuesday updates — patches CVE-2021-26411 in Internet Explorer/MSHTML
2. Disable Internet Explorer: On Windows 10 and later, disable IE via Windows Features (optionalfeatures.exe → uncheck Internet Explorer 11); note that disabling IE does not remove MSHTML, which still requires patching
3. Set IE as the default browser for no application — configure group policy to prevent IE from being launched for web content
4. Patch MSHTML by keeping Windows fully updated: MSHTML is patched via Windows Update even after IE is disabled
5. Block IE and MSHTML-based WebBrowser control usage via Application Control policies (AppLocker, WDAC) where possible
6. Be alert to social engineering targeting security professionals: verify the identity of new contacts claiming to be security researchers before visiting links they share, particularly in Internet Explorer