CVE-2016-7200

What Is Microsoft Edge?

Microsoft Edge is the web browser bundled with Windows 10, introduced as the successor to Internet Explorer. Edge's primary JavaScript engine, Chakra (ChakraCore), handles JavaScript execution for all web content. Browser JavaScript engines are the most frequently targeted software components in client-side exploitation: a malicious web page can drive millions of potential victims, and a working JavaScript engine exploit provides a reliable code execution primitive in the browser process. Edge added new exploit mitigations compared to Internet Explorer (enhanced sandbox, Control Flow Guard, MemGC), but the Chakra engine's complexity remained a persistent source of memory safety vulnerabilities throughout 2016.

Overview

CVE-2016-7200 is an out-of-bounds write vulnerability in the Chakra JavaScript engine in Microsoft Edge. When Edge processes a specially crafted web page, Chakra performs an incorrect memory write operation beyond an allocated buffer's bounds, corrupting adjacent heap memory in a manner that can be leveraged to execute arbitrary code at the privilege level of the current user. This vulnerability was patched alongside the closely related CVE-2016-7201 (Chakra type confusion) in MS16-145 (November 8, 2016). Both flaws affect the same Edge Chakra engine and were added to CISA's KEV catalog together in March 2022.

Affected Versions

Technical Details

Root Cause: Chakra Out-of-Bounds Write

CVE-2016-7200 is an out-of-bounds write (CWE-787) in Microsoft's Chakra JavaScript engine. The Chakra engine performs just-in-time (JIT) compilation and type-specialized optimization of JavaScript code. In the vulnerable code path, processing of a specially crafted JavaScript construct causes the engine to write data beyond the end of an allocated heap buffer. This heap corruption can overwrite adjacent objects, including internal Chakra data structures that contain function pointers or type metadata used by the JIT engine.

Exploitation path:

1. Victim visits a malicious web page — via spear-phishing link, malvertising, or watering hole attack
2. Chakra processes crafted JavaScript — specific code constructs trigger the vulnerable array or object handling path
3. Out-of-bounds write occurs — heap memory is corrupted beyond buffer bounds
4. Heap layout manipulation — attacker's JavaScript grooms the heap to control what data is overwritten
5. Code execution — corrupted internal Chakra object redirects execution to attacker-controlled code
6. Sandbox escape required — Chakra RCE runs in the Edge sandbox; achieving arbitrary code execution on the host requires a separate sandbox escape

Relationship to CVE-2016-7201

CVE-2016-7200 and CVE-2016-7201 (Chakra type confusion) were patched together in MS16-145:

• CVE-2016-7200: out-of-bounds write — corrupts heap memory
• CVE-2016-7201: type confusion — allows wrong type interpretation of JavaScript values

These two vulnerability classes are complementary in exploit development: type confusion enables reading/writing arbitrary memory, while OOB write enables corrupting internal engine state to bypass type checks. Chaining both vulnerabilities in a single exploit provides a reliable, multi-stage code execution capability.

Attack Characteristics

Discovery

Identified through Microsoft's internal security research or coordinated disclosure; patched in the November 2016 Patch Tuesday release (MS16-145) alongside multiple other Edge and Chakra vulnerabilities.

Exploitation Context

• Browser exploit kit integration: Chakra memory corruption vulnerabilities were incorporated into exploit kits targeting Windows 10 users on Edge; the shift to Edge from IE created a new browser target that exploit kit authors began to include
• CVE-2016-7200 + CVE-2016-7201 pairing: Security researchers observed these two Chakra vulnerabilities being used together in exploitation chains — the type confusion providing an ASLR bypass and the OOB write providing code execution; the combination produces a reliable sandbox-escaping exploit when chained with a separate Edge sandbox escape
• Watering hole and spear-phishing delivery: Edge-targeting exploits were observed in targeted attack campaigns, where attacker-controlled pages were visited by victims through spear-phishing links
• CISA KEV (2022): Added March 2022, along with CVE-2016-7201, reflecting confirmed exploitation in active attack campaigns

Remediation

1. Apply MS16-145 — install the November 2016 Microsoft Edge security update via Windows Update, WSUS, or MECM. All subsequent Windows 10 cumulative updates include this fix.

2. Keep Windows 10 fully updated — apply all current Windows cumulative updates; the Edge JavaScript engine is updated as part of Windows cumulative patches.

3. Enable Windows Defender SmartScreen — SmartScreen blocks known malicious URLs before the page loads, preventing exploit kit delivery to Edge.

4. Consider migrating to Chromium-based Edge — the legacy EdgeHTML-based Edge (affected by CVE-2016-7200) has been replaced by Chromium-based Microsoft Edge, which uses the V8 JavaScript engine and receives independent updates; Chromium Edge provides a substantially updated codebase.