cbcvebase.
CVE-2016-7242
published 2016-11-10

CVE-2016-7242: The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via…

PriorityP272high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
16.28%
96.6th percentile
The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7200, CVE-2016-7201, CVE-2016-7202, CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, and CVE-2016-7243.

Affected

5 ranges
VendorProductVersion rangeFixed in
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in the scripting engine's handling of objects in memory in Internet Explorer; look for exploitation via specially crafted websites or embedded ActiveX controls marked 'safe for initialization' in Office documents or applications hosting the IE rendering engine.
  • Monitor for suspicious ActiveX control instantiation within Office documents or IE-hosted rendering engine contexts, particularly controls marked 'safe for initialization', as this is a documented attack vector for CVE-2016-7242.
  • Monitor for users being directed to attacker-controlled or compromised websites via Internet Explorer, especially sites hosting user-provided content or advertisements, as these are delivery vectors for this vulnerability.
  • ·CVE-2016-7242 affects the scripting engine in Internet Explorer (memory object handling), while the closely related CVE-2016-7243 affects the Chakra JavaScript engine in Microsoft Edge — these are distinct vulnerabilities despite similar descriptions. Ensure detections and patches target the correct browser/engine.
  • ·Microsoft assessed exploitation as 'More Likely' for the latest software release at time of disclosure; no public exploit or in-the-wild exploitation was confirmed at time of advisory publication.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa8.8HIGH
osv8.8HIGH
vulncheck8.8HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.