Cyber Resilience

CVE-2016-7200

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 November 2016

Published
10 November 2016
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8800 99.5th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-7200 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Edge. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a memory corruption issue, specifically an out-of-bounds write (CWE-787), in the Chakra JavaScript scripting engine used by Microsoft Edge. It is tracked as CVE-2016-7200 with a CVSS score of 8.8 and was disclosed on November 10, 2016, distinct from several related scripting engine flaws in the same period.

Remote attackers can exploit the flaw by serving a crafted website to a victim; successful exploitation allows arbitrary code execution or a denial of service condition. The attack requires no special privileges but does depend on user interaction such as visiting the malicious page in Edge.

Microsoft addressed the issue in security bulletin MS16-129, which provides patches and mitigation guidance for affected Edge installations. Public references also include exploit artifacts and proof-of-concept material on sites such as Packet Storm and a dedicated GitHub repository, indicating the vulnerability received technical analysis shortly after disclosure.

EU & UK References

Vulnerability details

The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7201, CVE-2016-7202,…

more

CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
edge
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the MS16-129 patch that eliminates the out-of-bounds write in Chakra.

prevent

Mandates memory-protection techniques (DEP, ASLR, etc.) that block exploitation of the memory-corruption flaw before arbitrary code executes.

SC-18 Mobile Code partial match
prevent

Allows definition of usage restrictions and controls on mobile code (JavaScript) that can reduce or block exposure to the crafted web-site attack vector.

References