CVE-2019-0567
Description
A type confusion vulnerability in ChakraCore's JIT compiler can lead to remote code execution in Microsoft Edge and ChakraCore.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A type confusion vulnerability in ChakraCore's JIT compiler can lead to remote code execution in Microsoft Edge and ChakraCore.
Vulnerability
The vulnerability is a type confusion bug in the Chakra scripting engine, affecting both Microsoft Edge and the open-source ChakraCore [1]. It exists in the JIT-compiled code path where the NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but they can actually cause a transition to a new type via the SetIsPrototype method of the type handler. This leads to incorrect type assumptions, allowing the attacker to overwrite internal pointers, such as property slot pointers [4]. All versions prior to the January 2019 security update are affected; for ChakraCore, versions up to 1.11 are vulnerable [3][4].
Exploitation
The attacker must first convince a user to visit a specially crafted web page in Edge (or process it in an application embedding ChakraCore). The exploit requires no authentication beyond the user visiting the page. The attack involves running JavaScript that triggers the JIT compilation of a function (e.g., opt()) with a crafted prototype or constructor. By manipulating the prototype chain and object properties across multiple invocations, the attacker causes the JIT to generate code with faulty type assumptions. The provided proof-of-concept demonstrates the technique: after approximately 2000 iterations to train the JIT, a call with a controlled value (e.g., 0x1234) overwrites a property slot pointer, leading to type confusion [4].
Impact
Successful exploitation allows a remote attacker to execute arbitrary code in the context of the current user. If the user is logged on with administrative privileges, the attacker could take control of the system, install programs, view/change/delete data, or create new accounts. The vulnerability is classified as remote code execution with critical severity [1].
Mitigation
Microsoft released a security update on January 8, 2019, which addressed this vulnerability in all affected versions of Microsoft Edge and ChakraCore [1]. For ChakraCore, the open-source project announced it would continue providing security updates for version 1.11 until March 9, 2021, after which users must rely on community-maintained forks or upgrade to a supported branch [3]. There is no known workaround other than applying the fix. This CVE is not listed on the KEV catalog as of the last check.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.5 | 1.11.5 |
Affected products
3- Range: ChakraCore
Patches
1788f17b0ce06CVE-2019-0539, CVE-2019-0567 Edge - Chakra: JIT: Type confusion via NewScObjectNoCtor or InitProto - Google, Inc.
1 file changed · +9 −0
lib/Backend/GlobOptFields.cpp+9 −0 modified@@ -456,6 +456,15 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo } break; + case Js::OpCode::InitClass: + case Js::OpCode::InitProto: + case Js::OpCode::NewScObjectNoCtor: + if (inGlobOpt) + { + KillObjectHeaderInlinedTypeSyms(this->currentBlock, false); + } + break; + default: if (instr->UsesAllFields()) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- www.exploit-db.com/exploits/46203/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-6x4f-5v4h-r29jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0567ghsaADVISORY
- www.securityfocus.com/bid/106418mitrevdb-entryx_refsource_BID
- github.com/chakra-core/ChakraCore/commit/788f17b0ce06ea84553b123c174d1ff7052112a0ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0567ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124231426/http://www.securityfocus.com/bid/106418ghsaWEB
- www.exploit-db.com/exploits/46203ghsaWEB
News mentions
0No linked articles in our index yet.