Miggo Logo
Miggo Vulnerability Database
CVE-2016-3382

CVE-2016-3382:
ChakraCore RCE Vulnerability

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-3382
GHSA ID
GHSA-92j2-gg59-4572
EPSS Score
0.95685%
CWE
CWE-119
Published
5/14/2022
Updated
11/2/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.2.11.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit message explicitly identifies type confusion in JavascriptArray methods (join, indexOf, lastIndexOf, apply, map) through TemplatedGetItem usage. Diff changes show replacement with TryTemplatedGetItem to add validation. Encoder.cpp modifications adding CRC checks indicate prior missing memory integrity validation. GlobOpt.cpp fix reorders operations to prevent use-after-free. These match CWE-119 memory corruption patterns described in the vulnerability reports and are directly addressed in the security patches.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** s*riptin* *n*in*s in Mi*roso*t Int*rn*t *xplor*r * t*rou** ** *n* Mi*roso*t **** *llow r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** or **us* * **ni*l o* s*rvi** (m*mory *orruption) vi* * *r**t** w** sit*, *s **monstr*t** *y t** ***kr* J*v*S*ript *n

Reasoning

T** *ommit m*ss*** *xpli*itly i**nti*i*s typ* *on*usion in J*v*s*ript*rr*y m*t*o*s (join, in**xO*, l*stIn**xO*, *pply, m*p) t*rou** T*mpl*t****tIt*m us***. *i** ***n**s s*ow r*pl***m*nt wit* TryT*mpl*t****tIt*m to *** v*li**tion. *n*o**r.*pp mo*i*i**