CVE-2016-7201
Published: 10 November 2016
Summary
CVE-2016-7201 is a high-severity Type Confusion (CWE-843) vulnerability in Microsoft Edge. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability is a memory corruption issue, tracked as CWE-843, in the Chakra JavaScript scripting engine used by Microsoft Edge. It affects the browser's handling of crafted web content and is distinct from several related scripting engine flaws disclosed at the same time.
Remote attackers can exploit the flaw by serving a malicious website that triggers the corruption when rendered in Edge. Successful exploitation yields arbitrary code execution in the context of the current user or a denial of service through memory corruption, with the CVSS vector reflecting network attack vector, low complexity, and required user interaction via page visitation.
Microsoft's security bulletin MS16-129 addresses the issue and supplies patches that resolve the vulnerability in supported Edge installations. Additional references, including public proof-of-concept material on GitHub and Packet Storm, confirm the availability of demonstration code for the type-confusion path.
The issue received an 8.8 CVSS score and was published in November 2016 alongside multiple other Chakra-related CVEs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-2363
Vulnerability details
The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7200, CVE-2016-7202,…
more
CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (MS16-129) that eliminates the Chakra type-confusion flaw before exploitation.
Restricts or authorizes mobile code (JavaScript) execution in the browser, limiting the attack surface that delivers the crafted web content.
Enforces memory-protection mechanisms that can block or contain the memory-corruption primitive underlying the arbitrary-code-execution path.