cbcvebase.
CVE-2016-3377
published 2016-09-14

CVE-2016-3377: The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted…

PriorityP272high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
16.17%
96.5th percentile
The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3350.

Affected

4 ranges
VendorProductVersion rangeFixed in
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in the Chakra JavaScript engine (Microsoft Edge); detect exploitation attempts via memory corruption triggered by crafted web pages loaded in Microsoft Edge
  • Monitor for ActiveX controls marked 'safe for initialization' being embedded in Office documents or applications hosting the browser rendering engine as an attack vector
  • Monitor for exploitation of compromised or attacker-controlled websites serving crafted content to Microsoft Edge users; web-based delivery is the primary attack scenario
  • ·Exploit Status is 'Publicly Disclosed: No; Exploited: No' but rated 'Exploitation More Likely' for the latest software release — prioritize patching accordingly
  • ·Patches are delivered via KB3193494, KB3185614, and KB3189866; verify these are applied to confirm remediation

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
vendor_msrc7.5CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.