CVE-2016-7189

HIGH

Microsoft Edge - Remote Code Execution via Chakra JavaScript Engine

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-7189. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a type confusion vulnerability in Chakra (CVE-2016-7189) by manipulating array prototypes during a join operation, allowing arbitrary memory reads and potential RCE. The PoC demonstrates object pointer leakage via array type confusion.

Description

The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code via a crafted web site, aka "Scripting Engine Remote Code Execution Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · htmldoswindows
https://www.exploit-db.com/exploits/40604

This exploit leverages a type confusion vulnerability in Chakra (CVE-2016-7189) by manipulating array prototypes during a join operation, allowing arbitrary memory reads and potential RCE. The PoC demonstrates object pointer leakage via array type confusion.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Chakra JavaScript Engine (Edge)
No auth needed
Prerequisites: Victim must visit a malicious webpage or execute the script in a vulnerable Chakra environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036993
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/93427

Scores

CVSS v3 7.5
EPSS 0.7458
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (2)
microsoft/edge
nuget/Microsoft.ChakraCore 0 - 1.2.1NuGet
Published Oct 14, 2016
Tracked Since Feb 18, 2026