CVE-2016-7200
Published: 10 November 2016
Summary
CVE-2016-7200 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Edge. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a memory corruption issue, specifically an out-of-bounds write (CWE-787), in the Chakra JavaScript scripting engine used by Microsoft Edge. It is tracked as CVE-2016-7200 with a CVSS score of 8.8 and was disclosed on November 10, 2016, distinct from several related scripting engine flaws in the same period.
Remote attackers can exploit the flaw by serving a crafted website to a victim; successful exploitation allows arbitrary code execution or a denial of service condition. The attack requires no special privileges but does depend on user interaction such as visiting the malicious page in Edge.
Microsoft addressed the issue in security bulletin MS16-129, which provides patches and mitigation guidance for affected Edge installations. Public references also include exploit artifacts and proof-of-concept material on sites such as Packet Storm and a dedicated GitHub repository, indicating the vulnerability received technical analysis shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-2667
Vulnerability details
The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7201, CVE-2016-7202,…
more
CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the MS16-129 patch that eliminates the out-of-bounds write in Chakra.
Mandates memory-protection techniques (DEP, ASLR, etc.) that block exploitation of the memory-corruption flaw before arbitrary code executes.
Allows definition of usage restrictions and controls on mobile code (JavaScript) that can reduce or block exposure to the crafted web-site attack vector.