cbcvebase.
CVE-2016-3222
published 2016-06-16

CVE-2016-3222: Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge…

PriorityP181high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
56.77%
98.9th percentile
Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

otheredgehtml.dll!CBaseScriptable::PrivateQueryInterface
othercharkra.dll!ThreadContext::PreSweepCallback
  • Triggering the vulnerable code path does NOT require JavaScript to be enabled — disabling JS is insufficient as a detection/prevention signal.
  • Access violations in edgehtml.dll!CBaseScriptable::PrivateQueryInterface at static/near-NULL addresses (e.g. 0x3 on 64-bit, 0x8 on 32-bit, 0x4C261 on 32-bit) are indicative of this type-confusion/bad-cast vulnerability in Microsoft Edge.
  • Access violations in charkra.dll!ThreadContext::PreSweepCallback at address 0xFF80A90F on 32-bit Edge are indicative of this vulnerability.
  • The vulnerability is triggered by getting the type of various properties or objects associated with another window — monitor cross-window property type access patterns in Edge crash telemetry.
  • Crashes at non-DWORD-aligned near-NULL addresses (e.g. 0x3) in CBaseScriptable::PrivateQueryInterface should be escalated as potential security vulnerabilities rather than dismissed as benign NULL pointer dereferences.
  • Patch reference: KB3163018 (MS16-068) addresses this vulnerability — systems missing this update are vulnerable.
  • ·The vulnerability manifests differently on 32-bit vs 64-bit Edge: 32-bit Edge shows access violations at non-NULL static addresses (e.g. 0x4C261, 0xFF80A90F, 0x1BF37D8), while 64-bit Edge shows near-NULL dereferences — both architectures must be tested to correctly classify the crash.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
vendor_msrc8.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.