8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-3248

GHSA ID

GHSA-q6mv-8vh9-4ggj

EPSS Score

0.95927%

CWE

CWE-119

Published

5/14/2022

Updated

11/2/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-3248

CVE-2016-3248: ChakraCore RCE Vulnerability

The Microsoft (1) JScript 9, (2) VBScript, and (3) Chakra JavaScript engines, as used in Microsoft Internet Explorer 9 through 11, Microsoft Edge, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3259.

(GitHub Advisory)

8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-3248

GHSA ID

GHSA-q6mv-8vh9-4ggj

EPSS Score

0.95927%

CWE

CWE-119

Published

5/14/2022

Updated

11/2/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Microsoft.ChakraCore	nuget	<= 1.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2016-3248) is a memory corruption issue in ChakraCore's JavaScript engine, classified under CWE-119. Microsoft's advisories explicitly state the root cause lies in improper memory handling during object operations. The Recycler (garbage collector) and array element assignment functions are core components where memory safety violations commonly occur in scripting engines. The high confidence stems from: (1) Historical precedent for Recycler-related CVEs in ChakraCore, (2) OP_SetElementI's direct role in memory writes for array operations, and (3) The vulnerability's alignment with typical bounds-checking failures in dynamic language runtimes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Mi*roso*t (*) JS*ript *, (*) V*S*ript, *n* (*) ***kr* J*v*S*ript *n*in*s, *s us** in Mi*roso*t Int*rn*t *xplor*r * t*rou** **, Mi*roso*t ****, *n* ot**r pro*u*ts, *llow r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** or **us* * **ni*l o* s*rvi** (m*mo

Reasoning

T** vuln*r**ility (*V*-****-****) is * m*mory *orruption issu* in ***kr**or*'s J*v*S*ript *n*in*, *l*ssi*i** un**r *W*-***. Mi*roso*t's **visori*s *xpli*itly st*t* t** root **us* li*s in improp*r m*mory **n*lin* *urin* o*j**t op*r*tions. T** `R**y*l*

8.8

Basic Information

Concerned about an active attack path?

CVE-2016-3248: ChakraCore RCE Vulnerability

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI