CVE-2021-33742

ENISA EUVD: EUVD-2021-20419 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 5, 2026 7 articles Published: 2021-06-08

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

72.12%

probability

This CVE has a 72.12% probability of being exploited in the next 30 days.

0% Top 98.8th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

7.5

HIGH

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Temporal

Exploit Code Maturity

Functional

Remediation Level

Official Fix

Report Confidence

Confirmed

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CVSS v2 (legacy)

6.8

MEDIUM

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Description

NVD

Windows MSHTML Platform Remote Code Execution Vulnerability

Affected Products

Microsoft

Windows 10 Version 1809

10.0.0

Microsoft

Windows Server 2019

10.0.0

Microsoft

Windows 10 Version 1909

10.0.0

Microsoft

Windows 10 Version 21H1

10.0.0

Microsoft

Windows 10 Version 2004

10.0.0

microsoft

windows 10 1507

microsoft

windows 10 1607

microsoft

windows 10 1809

microsoft

windows 10 1909

microsoft

windows 10 2004

Microsoft

Windows 10 Version 1809

10.0.0 <10.0.17763.1999

Microsoft

Windows Server 2012 R2

6.3.0 <1.0.0.0

Microsoft

Windows 10 Version 1507

10.0.0 <10.0.10240.18967

Microsoft

Windows Server 2008 Service Pack 2

6.0.0 <publication

Microsoft

Windows Server 2019

10.0.0 <10.0.17763.1999

Microsoft

Windows 7

6.1.0 <6.1.7601.25632

Microsoft

Windows Server 2008 Service Pack 2

6.0.0 <publication

Microsoft

Windows Server 2008 R2 Service Pack 1

6.1.0 <publication

Microsoft

Windows 10 Version 1607

10.0.0 <10.0.14393.4467

Microsoft

Windows Server 2012

6.2.0 <1.0.0.0

Microsoft

Windows 8.1

6.3.0 <1.0.0.0

Microsoft

Windows Server 2016

10.0.0 <10.0.14393.4467

Microsoft

Windows 7

6.1.0 <publication

Microsoft

Windows 10 Version 2004

10.0.0 <10.0.19041.1052

Microsoft

Windows 7 Service Pack 1

6.1.0 <publication

Microsoft

Windows 8.1

6.3.0 <6.3.9600.20045

Microsoft

Windows Server 2008 Service Pack 2

6.0.0 <6.0.6003.21137

Microsoft

Windows 10 Version 20H2

10.0.0 <10.0.19042.1052

Microsoft

Windows Server 2012

6.2.0 <6.2.9200.23372

Microsoft

Windows 10 Version 1909

10.0.0 <10.0.18363.1621

Microsoft

Windows Server 2008 Service Pack 2

6.0.0 <6.0.6003.21137

Microsoft

Windows 7 Service Pack 1

6.1.0 <6.1.7601.25632

Microsoft

Windows 10 Version 21H1

10.0.0 <10.0.19043.1052

Microsoft

Windows Server 2012 R2

6.3.0 <6.3.9600.20045

Microsoft

Windows Server 2008 R2 Service Pack 1

6.1.0 <6.1.7601.25632

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

Google Project Zero

Discovered

June 3, 2021

Patched

June 8, 2021

Reported by

Clément Lecigne of Google’s Threat Analysis Group

Root Cause Analysis

https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742

x_refsource_MISC

Signal Intelligence

Confidenceⓘ

95%

EPSS 72.12%

CVSS v3.1 7.5

Mentions 7

Last Seen Nov 12, 2021

CNA Information

CNA Assigner

microsoft

CNA Title

Windows MSHTML Platform Remote Code Execution Vulnerability

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Threat Actors 4

Kinsing

apt_group 🇷🇺 RU

Infy

apt_group Information theft and espionage 🇮🇷 IR

TeamTNT

apt_group 🇩🇪 DE

Tortoiseshell

apt_group Information theft and espionage 🇮🇷 IR

Triage Info

Decided atMar 05, 2026

Published DateJun 08, 2021