cbcvebase.
CVE-2016-7240
published 2016-11-10

CVE-2016-7240: The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via…

PriorityP268high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
66.47%
99.2th percentile
The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7200, CVE-2016-7201, CVE-2016-7202, CVE-2016-7203, CVE-2016-7208, CVE-2016-7242, and CVE-2016-7243.

Affected

5 ranges
VendorProductVersion rangeFixed in
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

commandvar p = new Proxy(eval, {}); p("alert(\"e\")");
  • Look for Proxy object wrapping eval in JavaScript — this is the type confusion trigger for CVE-2016-7240 in Microsoft Edge's Chakra engine
  • Vulnerability is in the scripting engine's handling of objects in memory in Internet Explorer / Microsoft Edge; monitor for memory corruption events triggered by crafted web content or ActiveX controls marked 'safe for initialization'
  • Attacker delivery vector includes compromised websites, user-provided content/advertisements, and Office documents hosting the IE rendering engine — monitor for IE/Edge process spawning child processes after visiting untrusted sites
  • ·CVE-2016-7240 affects Internet Explorer's scripting engine (not Edge/Chakra directly), despite being listed alongside Edge Chakra CVEs in the same bulletin; ensure detection scope covers iexplore.exe, not only msedge.exe
  • ·The public exploit (Exploit-DB 40773) is titled 'Microsoft Edge - eval Type Confusion' and references CVE-2016-7240 alongside CVE-2016-7243; verify which CVE the Proxy/eval PoC specifically triggers before using it as a definitive CVE-2016-7240 indicator
  • ·Patch KB3200970 and KB3198586 are the remediation references; absence of these KBs indicates a vulnerable host

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa8.8HIGH
osv8.8HIGH
vulncheck8.8HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.