Login Sign Up

CVE-2019-1140

8.8 HIGH
Remote Code Execution

📋 TL;DR

This is a remote code execution vulnerability in Microsoft Edge's Chakra JavaScript engine that allows attackers to execute arbitrary code by tricking users into visiting malicious websites. It affects users running vulnerable versions of Microsoft Edge on Windows systems. Successful exploitation gives attackers the same privileges as the current user.

💻 Affected Systems

Products:
  • Microsoft Edge (HTML-based)
Versions: Versions prior to the August 2019 security update
Operating Systems: Windows 10, Windows Server 2016, Windows Server 2019
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the legacy EdgeHTML-based Microsoft Edge, not the newer Chromium-based Edge. Requires user interaction to visit malicious website.

📦 What is this software?

Edge by Microsoft

View all CVEs affecting Edge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, allowing installation of malware, data theft, and creation of new accounts.

🟠

Likely Case

Malware installation and data theft from the current user's account, potentially leading to credential harvesting and lateral movement.

🟢

If Mitigated

Limited impact due to browser sandboxing and user account restrictions, but still significant data exposure risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction but no authentication. Memory corruption vulnerability in JavaScript engine.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2019 security update for Microsoft Edge

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1140

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Check for updates. 3. Install August 2019 security updates. 4. Restart system if prompted.

🔧 Temporary Workarounds

Disable JavaScript

windows

Disable JavaScript in Microsoft Edge to prevent exploitation

Use Application Guard

windows

Enable Microsoft Defender Application Guard for Edge to isolate browsing sessions

🧯 If You Can't Patch

  • Switch to Chromium-based Microsoft Edge or alternative browsers
  • Implement network filtering to block known malicious websites and restrict internet access

🔍 How to Verify

Check if Vulnerable:

Check Microsoft Edge version in Settings > About Microsoft Edge. If version is from before August 2019, system is vulnerable.

Check Version:

msedge --version

Verify Fix Applied:

Verify Windows Update history shows August 2019 security updates installed and Edge version is updated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from Microsoft Edge
  • Suspicious network connections from browser process

Network Indicators:

  • Outbound connections to known malicious domains from browser
  • Unusual JavaScript execution patterns

SIEM Query:

Process Creation where ParentImage contains 'msedge.exe' and CommandLine contains unusual patterns

📊 Metadata

CVE ID: CVE-2019-1140
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: August 14, 2019
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-1140, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)