CVE-2019-0539
Description
A remote code execution vulnerability in Chakra scripting engine due to memory corruption, affecting Microsoft Edge and ChakraCore, allowing arbitrary code execution via crafted web page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in Chakra scripting engine due to memory corruption, affecting Microsoft Edge and ChakraCore, allowing arbitrary code execution via crafted web page.
Vulnerability
A remote code execution vulnerability exists in the Chakra scripting engine (used by Microsoft Edge and ChakraCore) due to improper handling of objects in memory, leading to memory corruption [1]. The vulnerability affects Microsoft Edge on Windows 10 (all versions) and ChakraCore up to version 1.11.4 [2][4]. The issue is triggered when the engine processes specially crafted JavaScript code.
Exploitation
An attacker can exploit this vulnerability by hosting a malicious website and convincing a user to visit it (no authentication required) [2]. The exploit leverages a type confusion bug to gain arbitrary read/write primitives, as demonstrated in a public proof-of-concept [4]. The attacker crafts JavaScript that triggers the memory corruption, then uses the resulting primitive to execute arbitrary code in the context of the current user.
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user, potentially leading to full compromise of the browser and, if the user has elevated privileges, the underlying system. This can result in data theft, installation of malware, or further lateral movement within the network.
Mitigation
Microsoft released a security update on January 8, 2019, as part of Patch Tuesday, which addresses this vulnerability in Microsoft Edge [1]. Users should apply the update via Windows Update. For ChakraCore, Microsoft provided security updates for version 1.11 until March 9, 2021; users should upgrade to a patched version (e.g., 1.11.5 or later) [3]. No workarounds are available; applying the update is the only mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.5 | 1.11.5 |
Affected products
3- Range: ChakraCore
Patches
1788f17b0ce06CVE-2019-0539, CVE-2019-0567 Edge - Chakra: JIT: Type confusion via NewScObjectNoCtor or InitProto - Google, Inc.
1 file changed · +9 −0
lib/Backend/GlobOptFields.cpp+9 −0 modified@@ -456,6 +456,15 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo } break; + case Js::OpCode::InitClass: + case Js::OpCode::InitProto: + case Js::OpCode::NewScObjectNoCtor: + if (inGlobOpt) + { + KillObjectHeaderInlinedTypeSyms(this->currentBlock, false); + } + break; + default: if (instr->UsesAllFields()) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- www.exploit-db.com/exploits/46203/mitreexploitx_refsource_EXPLOIT-DB
- www.exploit-db.com/exploits/46204/mitreexploitx_refsource_EXPLOIT-DB
- www.exploit-db.com/exploits/46485/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-3w4v-qfqc-3433ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0539ghsaADVISORY
- www.securityfocus.com/bid/106401mitrevdb-entryx_refsource_BID
- github.com/chakra-core/ChakraCore/commit/788f17b0ce06ea84553b123c174d1ff7052112a0ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0539ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124231213/http://www.securityfocus.com/bid/106401ghsaWEB
- www.exploit-db.com/exploits/46203ghsaWEB
- www.exploit-db.com/exploits/46204ghsaWEB
- www.exploit-db.com/exploits/46485ghsaWEB
News mentions
0No linked articles in our index yet.