cbcvebase.
CVE-2016-3386
published 2016-10-14

CVE-2016-3386: The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted…

PriorityP263high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
41.32%
98.5th percentile
The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3389, CVE-2016-7190, and CVE-2016-7194.

Affected

6 ranges
VendorProductVersion rangeFixed in
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

commandt.length = 10000; temp.fill.call(t, 7, 0, 1000);
commandt.__proto__ = mp; q(...t);
  • Detect use of Spread Operator (...) combined with Proxy prototype manipulation on arrays in Microsoft Edge / Chakra JS engine, which is the core trigger for this stack overflow vulnerability (MS16-119).
  • Look for JavaScript that sets an array's __proto__ to a Proxy object and then calls a function using the spread operator on that array, as this is the exploit primitive for CVE-2016-3386.
  • Monitor for JavaScript that dynamically and drastically increases array length (e.g., t.length = 10000) inside a Proxy 'get' trap handler, which is used to trigger the out-of-bounds write in destArgs.Values.
  • The vulnerability is triggered when DirectGetItemAtFull falls back to the array prototype (e.g., a Proxy), allowing user script to execute and change array length mid-iteration, overflowing destArgs.Values. Alert on Proxy-based prototype chains on arrays used with spread calls.
  • ·The exploit targets Microsoft Edge specifically via the Chakra JavaScript engine; other browsers are not affected by this specific CVE.
  • ·As of the advisory, this vulnerability had not been observed exploited in the wild, though exploitation was rated 'More Likely' for the latest software release.
  • ·The PoC also notes a potential integer overflow in the length check that should be fixed alongside the main vulnerability, meaning detection should account for both overflow paths.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc7.5CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.