Cyber Resilience

CVE-2016-7201

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 November 2016

Published
10 November 2016
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8891 99.5th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-7201 is a high-severity Type Confusion (CWE-843) vulnerability in Microsoft Edge. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

The vulnerability is a memory corruption issue, tracked as CWE-843, in the Chakra JavaScript scripting engine used by Microsoft Edge. It affects the browser's handling of crafted web content and is distinct from several related scripting engine flaws disclosed at the same time.

Remote attackers can exploit the flaw by serving a malicious website that triggers the corruption when rendered in Edge. Successful exploitation yields arbitrary code execution in the context of the current user or a denial of service through memory corruption, with the CVSS vector reflecting network attack vector, low complexity, and required user interaction via page visitation.

Microsoft's security bulletin MS16-129 addresses the issue and supplies patches that resolve the vulnerability in supported Edge installations. Additional references, including public proof-of-concept material on GitHub and Packet Storm, confirm the availability of demonstration code for the type-confusion path.

The issue received an 8.8 CVSS score and was published in November 2016 alongside multiple other Chakra-related CVEs.

EU & UK References

Vulnerability details

The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7200, CVE-2016-7202,…

more

CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
edge
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (MS16-129) that eliminates the Chakra type-confusion flaw before exploitation.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes mobile code (JavaScript) execution in the browser, limiting the attack surface that delivers the crafted web content.

prevent

Enforces memory-protection mechanisms that can block or contain the memory-corruption primitive underlying the arbitrary-code-execution path.

References