What Is Microsoft Edge?
Microsoft Edge is the Windows 10 default browser, powered by the Chakra (ChakraCore) JavaScript engine. Chakra performs just-in-time compilation, speculative type optimization, and dynamic execution of JavaScript — the core of modern web application processing. Type confusion vulnerabilities in JIT engines are particularly impactful: when an engine incorrectly tracks an object's type, it may allow an attacker to read or write arbitrary memory by creating an object that is treated as the wrong type, bypassing all the engine's normal bounds checks and type safety enforcement.
Overview
CVE-2016-7201 is a type confusion vulnerability in the Chakra JavaScript engine in Microsoft Edge. The Chakra engine's JIT compiler or type inference system incorrectly tracks the type of a JavaScript object, allowing an attacker to create a situation where the engine accesses object data as the wrong type — providing an arbitrary read/write primitive in the Edge process memory. Patched in MS16-145 (November 8, 2016) alongside the closely related CVE-2016-7200 (Chakra OOB write). CISA added both CVEs to the KEV catalog in March 2022.
Affected Versions
| Microsoft Edge | Status |
|---|---|
| Edge on Windows 10 (pre-MS16-145) | Vulnerable |
| Edge on Windows 10 with MS16-145 applied | Fixed |
| Internet Explorer | Not affected (uses JScript engine, not Chakra) |
Technical Details
Root Cause: JIT Type Confusion
CVE-2016-7201 is a type confusion vulnerability (CWE-843) in Chakra's JavaScript engine. Modern JavaScript engines maintain type information about objects to perform type-specialized optimization — compiling code paths that assume an object is always an integer array, for example. When the type inference is incorrect or can be confused by attacker-controlled JavaScript, the engine accesses object data using wrong type semantics.
Type confusion impact:
- Arbitrary read — treating an array object as an integer causes data fields (including pointers) to be interpreted as the integer value; reading back the "integer" reveals internal pointers
- ASLR bypass — reading internal Chakra pointers reveals the base address of JavaScript engine memory, defeating Address Space Layout Randomization
- Arbitrary write — writing a "float" to a position that the engine treats as an object pointer allows redirecting function dispatch
- Code execution — redirected function pointer causes execution of attacker-controlled code in the Edge process
Exploitation Chain with CVE-2016-7200
CVE-2016-7201 and CVE-2016-7200 (OOB write) were patched together and exploited together:
- CVE-2016-7201 (type confusion) → ASLR bypass: reading internal pointers reveals memory layout
- CVE-2016-7200 (OOB write) → code execution: corrupting heap state using the known memory layout for reliable exploitation
This is the standard two-stage browser exploit pattern: information leak to defeat ASLR, then memory corruption to achieve control of execution.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — malicious web page |
| User Interaction | Required — victim visits attacker-controlled page |
| Authentication | None required |
| Impact | Arbitrary read/write in Edge process; remote code execution |
| ASLR Bypass | Yes — type confusion provides pointer leak |
Discovery
Identified through Microsoft's internal security research or external coordinated disclosure; patched in the November 2016 Patch Tuesday (MS16-145) alongside multiple other Chakra and Edge vulnerabilities.
Exploitation Context
- Type confusion as ASLR bypass: CVE-2016-7201 is the classic first stage in a browser exploit chain — providing the pointer leak needed to defeat ASLR before triggering the code execution primitive; exploitation in the wild used it precisely in this role alongside CVE-2016-7200
- Exploit kit adoption: In 2016, Chakra vulnerabilities began appearing in exploit kits as Windows 10 adoption grew; the stable exploit chain provided by CVE-2016-7200 + CVE-2016-7201 made it an attractive target for kit integration
- Targeted attack use: Edge-targeting Chakra exploits were used in targeted campaigns against Windows 10 users who had moved away from IE, representing attacker adaptation to browser changes
- CISA KEV (2022): Added March 2022 alongside CVE-2016-7200, reflecting confirmed exploitation of both vulnerabilities as part of the same attack chains
Remediation
-
Apply MS16-145 — install the November 2016 Microsoft Edge security update via Windows Update, WSUS, or MECM. All subsequent Windows 10 cumulative updates include this fix.
-
Keep Windows 10 fully updated — cumulative updates include all prior Edge and Chakra patches; ensure systems are current.
-
Enable Windows Defender SmartScreen — blocks known malicious URLs and exploit kit delivery infrastructure before exploit execution.
-
Migrate to Chromium-based Microsoft Edge — the modern Chromium-based Edge replaces the legacy EdgeHTML/Chakra stack affected by CVE-2016-7201 with the V8 JavaScript engine and receives independent security updates.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2016-7201 |
| Vendor / Product | Microsoft — Edge |
| NVD Published | 2016-11-10 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-843 — Access of Resource Using Incompatible Type ('Type Confusion') find similar ↗ |
| CISA KEV Added | 2022-03-28 |
| CISA KEV Deadline | 2022-04-18 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2016-11-08 | Microsoft releases MS16-145 patching CVE-2016-7201 and CVE-2016-7200 (Chakra memory corruption in Edge) |
| 2016-11-10 | CVE-2016-7201 published by NVD |
| 2022-03-28 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-04-18 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2016-7201 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| MS16-145 — Security Update for Microsoft Edge (November 2016) | Vendor Advisory |