Published: 08/01/2019 Updated: 05/03/2019
CVSS v2 Base Score: 7.6 | Impact Score: 10 | Exploitability Score: 4.9
CVSS v3 Base Score: 7.5 | Impact Score: 5.9 | Exploitability Score: 1.6

Vulnerability Summary

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0567, CVE-2019-0568.

Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Access Complexity: HIGH
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Vulnerability Trend

Affected Products

Vendor Product Versions


/* Issue description This is similar to issue 1702 (wwwexploit-dbcom/exploits/46203) This time, it uses an InitClass instruction to reach the SetIsPrototype method PoC: */ function opt(o, c, value) { ob = 1; class A extends c { } oa = value; } function main() { for (let i = 0; i < 2000; i++) { ...
<html> <script> /* # Exploit Title: [getting Read permission through Type Confusion] # Date: [date] # Exploit Author: [Fahad Aid Alharbi] # Vendor Homepage: [wwwmicrosoftcom/en-us/] # Version: [Chakra 1_11_4] (REQUIRED) # Tested on: [Windows 10] # CVE : [cve-2019-0539] */ /* author @0x4142 => Fahad Aid Alharbi * cve-2019 ...
NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type This can lead to type confusion in the JITed code In the PoC, it overwrites the pointer to property slots with 0x1000000001234 PoC for NewScObjectNo ...

Mailing Lists

Microsoft Edge Chakra version 1114 read permission via type confusion proof of concept exploit ...

Github Repositories

Case Study of JavaScript Engine Vulnerabilities V8 CVE Number Feature Keywords Credit CVE-2013-6632 TypedArray Integer Overflow, OOB Pinkie Pie CVE-2014-1705 TypedArray Invalid Array Length, OOB geohot CVE-2014-3176 Arrayconcat Side Effect, OOB lokihardt CVE-2014-7927 Optimization asmjs, OOB Christian Holler CVE-2014-7928 Optimization Array Christian Holler C