cbcvebase.
CVE-2016-7288
published 2016-12-20

CVE-2016-7288: The scripting engines in Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…

PriorityP269high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
70.35%
99.3th percentile
The scripting engines in Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7286, CVE-2016-7296, and CVE-2016-7297.

Affected

7 ranges
VendorProductVersion rangeFixed in
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://127.0.0.1
  • Exploit triggers a Use-After-Free via TypedArray.sort() in Microsoft Edge by passing a compareFunction that returns an object with a valueOf property (instead of a number), which is used to detach the underlying ArrayBuffer mid-sort via postMessage transfer.
  • The UAF is triggered by transferring the ArrayBuffer backing the TypedArray to another context (via postMessage) inside the sort comparator, detaching the buffer while the sort is still operating on it.
  • Look for JavaScript creating a large ArrayBuffer (e.g. 0x10010 bytes), wrapping it in a TypedArray, and calling .sort() with a comparator that invokes postMessage with the buffer in the transfer list.
  • CVE-2016-7288 is classified as 'Exploitation More Likely' by Microsoft, indicating active weaponization risk; prioritize detection on Microsoft Edge scripting engine activity.
  • ·The exploit PoC targets Microsoft Edge specifically (MS16-145); the MSRC advisory also references Internet Explorer rendering engine via hosted ActiveX controls, broadening the attack surface beyond Edge alone.
  • ·The localhost URL (http://127.0.0.1) in the PoC is a proof-of-concept artifact for same-origin postMessage transfer; real-world exploitation would use an attacker-controlled origin.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.