Miggo Logo
Miggo Vulnerability Database
CVE-2016-7190

CVE-2016-7190: ChakraCore RCE Vulnerability

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-7190
GHSA ID
GHSA-w4mj-xwvw-382f
EPSS Score
0.98964%
CWE
CWE-119
Published
5/14/2022
Updated
11/2/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget<= 1.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from: (1) Type confusion in JavascriptArray methods (join/indexOf/lastIndexOf/apply/map) due to unsafe TemplatedGetItem optimizations when prototype chain modifications occur, (2) Missing buffer integrity checks in encoder allowing RWX memory tampering, (3) Use-after-free in optimization passes (GlobOpt) and lowering logic (LowerMDShared). The patch directly modifies these functions to add CRC validation, prototype access checks, and lifetime management fixes, aligning with CWE-119's memory corruption context. Test cases explicitly target array prototype manipulation scenarios that would trigger these vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ***kr* J*v*S*ript *n*in* in Mi*roso*t **** *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** or **us* * **ni*l o* s*rvi** (m*mory *orruption) vi* * *r**t** w** sit*, *k* "S*riptin* *n*in* M*mory *orruption Vuln*r**ility," * *i***r*nt vuln*r**ilit

Reasoning

T** vuln*r**ility st*ms *rom: (*) Typ* *on*usion in `J*v*s*ript*rr*y` m*t*o*s (`join`/`in**xO*`/`l*stIn**xO*`/`*pply`/`m*p`) *u* to uns*** `T*mpl*t****tIt*m` optimiz*tions w**n prototyp* ***in mo*i*i**tions o**ur, (*) Missin* *u***r int**rity ****ks