Miggo Logo
Miggo Vulnerability Database
CVE-2016-3259

CVE-2016-3259:
ChakraCore RCE Vulnerability

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-3259
GHSA ID
GHSA-wm27-49x2-mg9q
EPSS Score
0.96142%
CWE
CWE-119
Published
5/14/2022
Updated
11/2/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.2.0.01.2.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from three key issues: 1) Storing interpreter function pointers in heap memory (InterpreterThunkEmitter), allowing CFG bypass via memory corruption. 2) Type confusion in array operations due to unchecked DirectSetItemAt usage. 3) Memory handling flaws in ArrayBuffer.transfer. The commit diff shows direct modifications to these functions to add safety checks (boolean flags instead of pointers, type validation, and memory zeroing), confirming their role in the vulnerability. The CVE description and Microsoft's advisory explicitly reference these memory corruption vectors in scripting engines.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Mi*roso*t (*) JS*ript *, (*) V*S*ript, *n* (*) ***kr* J*v*S*ript *n*in*s, *s us** in Mi*roso*t Int*rn*t *xplor*r * t*rou** **, Mi*roso*t ****, *n* ot**r pro*u*ts, *llow r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** or **us* * **ni*l o* s*rvi** (m*mo

Reasoning

T** vuln*r**ility st*mm** *rom t*r** k*y issu*s: *) Storin* int*rpr*t*r `*un*tion` point*rs in ***p m*mory (`Int*rpr*t*rT*unk*mitt*r`), *llowin* *** *yp*ss vi* m*mory *orruption. *) Typ* *on*usion in *rr*y op*r*tions *u* to un****k** `*ir**tS*tIt*m*t