CVE-2016-3248: ChakraCore RCE Vulnerability
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.95927%
CWE
Published
5/14/2022
Updated
11/2/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Microsoft.ChakraCore | nuget | <= 1.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CVE-2016-3248) is a memory corruption issue in ChakraCore's JavaScript engine, classified under CWE-119. Microsoft's advisories explicitly state the root cause lies in improper memory handling during object operations. The Recycler
(garbage collector) and array element assignment functions are core components where memory safety violations commonly occur in scripting engines. The high confidence stems from: (1) Historical precedent for Recycler
-related CVEs in ChakraCore
, (2) OP_SetElementI
's direct role in memory writes for array operations, and (3) The vulnerability's alignment with typical bounds-checking failures in dynamic language runtimes.