cbcvebase.
CVE-2016-7286
published 2016-12-20

CVE-2016-7286: The scripting engines in Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…

PriorityP269high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
68.72%
99.3th percentile
The scripting engines in Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7288, CVE-2016-7296, and CVE-2016-7297.

Affected

3 ranges
VendorProductVersion rangeFixed in
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3206632
  • Trigger condition: SIMD.Int32x4.toLocaleString() called with excess arguments on Microsoft Edge, leading to uninitialized memory access. Monitor for JavaScript invoking SIMD.Int32x4(...).toLocaleString() with multiple arguments.
  • Vulnerability is in the scripting engine's handling of SIMD objects in memory within Microsoft Edge (MS16-145). Alert on pages delivering SIMD-based PoC JavaScript patterns.
  • Exploit status is 'Exploitation More Likely' for the latest software release; prioritize detection and patching on current Edge versions.
  • ·The NVD source (DOC 1) references CVE-2016-7288, a different but related scripting engine memory corruption vulnerability in Microsoft Edge — not CVE-2016-7286 directly. Intel from that source should be treated as contextual only.
  • ·The MSRC advisory description references Internet Explorer in the body text, but the affected product listed is Microsoft Edge. Detection and patching scope should focus on Microsoft Edge as the confirmed affected product for CVE-2016-7286.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.