High severity8.8NVD Advisory· Published Jun 16, 2016· Updated May 6, 2026
CVE-2016-3214
CVE-2016-3214
Description
The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3199.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.3.0 | 1.3.0 |
Affected products
1Patches
10b9f3cdd57cbMake Array concat responsive to side-effects of calling @@species create
1 file changed · +47 −7
lib/Runtime/Library/JavascriptArray.cpp+47 −7 modified@@ -3136,7 +3136,7 @@ namespace Js } bool converted; - if (JavascriptArray::IsAnyArray(aItem)) + if (JavascriptArray::IsAnyArray(aItem) || remoteTypeIds[idxArg] == TypeIds_Array) { if (JavascriptNativeIntArray::Is(aItem)) // Fast path { @@ -3156,7 +3156,6 @@ namespace Js ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest); return pVarDestArray; } - if (converted) { // Copying the last array forced a conversion, so switch over to the var version @@ -3167,8 +3166,6 @@ namespace Js } else { - Assert(!JavascriptArray::IsAnyArray(aItem) && remoteTypeIds[idxArg] != TypeIds_Array); - if (TaggedInt::Is(aItem)) { pDestArray->DirectSetItemAt(idxDest, (double)TaggedInt::ToInt32(aItem)); @@ -3327,9 +3324,52 @@ namespace Js pDestObj = ArraySpeciesCreate(args[0], 0, scriptContext); if (pDestObj) { - isInt = JavascriptNativeIntArray::Is(pDestObj); - isFloat = !isInt && JavascriptNativeFloatArray::Is(pDestObj); // if we know it is an int short the condition to avoid a function call - isArray = isInt || isFloat || JavascriptArray::Is(pDestObj); + // Check the thing that species create made. If it's a native array that can't handle the source + // data, convert it. If it's a more conservative kind of array than the source data, indicate that + // so that the data will be converted on copy. + if (isInt) + { + if (JavascriptNativeIntArray::Is(pDestObj)) + { + isArray = true; + } + else + { + isInt = false; + isFloat = JavascriptNativeFloatArray::Is(pDestObj); + isArray = JavascriptArray::Is(pDestObj); + } + } + else if (isFloat) + { + if (JavascriptNativeIntArray::Is(pDestObj)) + { + JavascriptNativeIntArray::ToNativeFloatArray(JavascriptNativeIntArray::FromVar(pDestObj)); + isArray = true; + } + else + { + isFloat = JavascriptNativeFloatArray::Is(pDestObj); + isArray = JavascriptArray::Is(pDestObj); + } + } + else + { + if (JavascriptNativeIntArray::Is(pDestObj)) + { + JavascriptNativeIntArray::ToVarArray(JavascriptNativeIntArray::FromVar(pDestObj)); + isArray = true; + } + else if (JavascriptNativeFloatArray::Is(pDestObj)) + { + JavascriptNativeFloatArray::ToVarArray(JavascriptNativeFloatArray::FromVar(pDestObj)); + isArray = true; + } + else + { + isArray = JavascriptArray::Is(pDestObj); + } + } } if (pDestObj == nullptr || isArray)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-538h-6rv2-wmj3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-3214ghsaADVISORY
- docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-068nvdWEB
- github.com/chakra-core/ChakraCore/commit/0b9f3cdd57cb09388fcf898edc537169c45a7345ghsaWEB
- web.archive.org/web/20211129115034/http://www.securitytracker.com/id/1036099ghsaWEB
- www.securitytracker.com/id/1036099nvd
News mentions
0No linked articles in our index yet.