What is Windows MSHTML?
MSHTML (also known as the Trident rendering engine) is the HTML rendering engine that powers Internet Explorer and is embedded across Windows for rendering web content in applications, email clients, Office documents, and Windows components that display HTML. Even as Internet Explorer was deprecated, MSHTML remained installed on all Windows systems and is used by legacy applications and Windows components to process web content. Because MSHTML is widely present and processes attacker-controlled HTML, CSS, and JavaScript, it has been a persistent exploitation target — vulnerabilities in MSHTML allow attackers to achieve code execution through Office documents, email previews, and web-based attack vectors that trigger MSHTML content rendering.
Overview
CVE-2021-33742 is an out-of-bounds write vulnerability (CWE-787) in the Windows MSHTML platform that allows remote code execution. An attacker who can get a user to access specially crafted web content (requiring user interaction: UI:R) can trigger the out-of-bounds write in MSHTML, potentially achieving code execution in the context of the process rendering the content. CVSS AC:H indicates this is more complex to exploit than a simple click. Microsoft patched this in June 2021 Patch Tuesday. CISA added it to the KEV catalog in November 2021, reflecting confirmed exploitation against unpatched systems.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 (all versions) | Yes | June 2021 Patch Tuesday |
| Windows 11 | Yes | June 2021 Patch Tuesday |
| Windows 8.1 | Yes | June 2021 Patch Tuesday |
| Windows Server 2016/2019/2022 | Yes | June 2021 Patch Tuesday |
| Windows 7 SP1 / Server 2008 R2 | Yes | June 2021 Patch Tuesday |
Technical Details
- Root cause: Out-of-bounds write (CWE-787) in MSHTML's HTML content processing — the MSHTML parser or rendering engine writes beyond the bounds of an allocated buffer when processing specially crafted HTML content, corrupting memory and potentially enabling arbitrary code execution
- Attack complexity (AC:H): High complexity indicates exploitation requires specific conditions — such as a particular memory layout, specific OS version or configuration, or multi-step attack requiring precise timing or additional attacker-controlled conditions
- Delivery vectors: MSHTML can be triggered via: (1) IE web navigation, (2) embedded web content in Office documents, (3) Windows applications using WebBrowser controls, (4) Rich text format email with embedded HTML in Outlook, or (5) any application that renders HTML using the system MSHTML engine
- User interaction required (UI:R): The victim must interact with attacker-controlled content — browse to a malicious page, open a document, or preview an email — to trigger the MSHTML rendering vulnerability
- MSHTML pattern: MSHTML has been exploited repeatedly (ProxyLogon attackers used MSHTML, CVE-2021-40444 in August 2021 also targeted MSHTML) due to its broad presence across Windows applications and its role processing complex untrusted content
Discovery
Reported to Microsoft and patched in June 2021 Patch Tuesday. The November 2021 CISA KEV addition reflects exploitation confirmed five months after the patch — consistent with incorporation into exploit kits targeting organizations with unpatched Windows systems.
Exploitation Context
MSHTML vulnerabilities are persistent targets because the attack surface spans the entire Windows ecosystem — any application that embeds a WebBrowser control or renders HTML using the system MSHTML library is potentially affected. Organizations that disabled Internet Explorer but did not patch MSHTML itself remain vulnerable through these indirect paths. The November 2021 CISA KEV addition aligns with the broader pattern of June 2021 Patch Tuesday vulnerabilities being confirmed in exploitation campaigns months after patch availability.
Remediation
- Apply June 2021 Patch Tuesday updates — patches the MSHTML vulnerability for all affected Windows versions
- Disable the MSHTML-based WebBrowser control from running script if not required: apply
FEATURE_RESTRICT_FILEDOWNLOADand similar IE security zone configurations - Use Microsoft Edge or Chrome as the default browser — these do not use MSHTML for page rendering
- Disable Internet Explorer if not required: IE can be disabled via Windows Features on Windows 10 without removing MSHTML; patching is still required
- Block potentially malicious documents: configure Office to block web content in untrusted documents; use Protected View and Attack Surface Reduction rules in Microsoft Defender
- Apply all subsequent Patch Tuesday updates — Microsoft continued to patch MSHTML vulnerabilities throughout 2021, including the critical zero-day CVE-2021-40444 in August 2021
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-33742 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2021-06-08 |
| NVD Last Modified | 2025-10-29 |
| CVSS 3.1 Score | 7.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-06-08 | Microsoft patches CVE-2021-33742 in June 2021 Patch Tuesday |
| 2021-06-08 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog — five months after patch, confirming exploitation in the wild |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Advisory — CVE-2021-33742 | Vendor Advisory |
| NVD — CVE-2021-33742 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |