Miggo Logo

CVE-2016-3248: ChakraCore RCE Vulnerability

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.95927%
Published
5/14/2022
Updated
11/2/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget<= 1.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2016-3248) is a memory corruption issue in ChakraCore's JavaScript engine, classified under CWE-119. Microsoft's advisories explicitly state the root cause lies in improper memory handling during object operations. The Recycler (garbage collector) and array element assignment functions are core components where memory safety violations commonly occur in scripting engines. The high confidence stems from: (1) Historical precedent for Recycler-related CVEs in ChakraCore, (2) OP_SetElementI's direct role in memory writes for array operations, and (3) The vulnerability's alignment with typical bounds-checking failures in dynamic language runtimes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Mi*roso*t (*) JS*ript *, (*) V*S*ript, *n* (*) ***kr* J*v*S*ript *n*in*s, *s us** in Mi*roso*t Int*rn*t *xplor*r * t*rou** **, Mi*roso*t ****, *n* ot**r pro*u*ts, *llow r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** or **us* * **ni*l o* s*rvi** (m*mo

Reasoning

T** vuln*r**ility (*V*-****-****) is * m*mory *orruption issu* in ***kr**or*'s J*v*S*ript *n*in*, *l*ssi*i** un**r *W*-***. Mi*roso*t's **visori*s *xpli*itly st*t* t** root **us* li*s in improp*r m*mory **n*lin* *urin* o*j**t op*r*tions. T** `R**y*l*