CVE-2019-0568
Description
Remote code execution vulnerability in Chakra scripting engine in Microsoft Edge due to improper handling of objects in memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote code execution vulnerability in Chakra scripting engine in Microsoft Edge due to improper handling of objects in memory.
Vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge [1][2]. This affects Microsoft Edge and ChakraCore. The vulnerability is caused by a memory corruption issue when the scripting engine processes specially crafted web content. The issue was addressed in a security update released in January 2019. This CVE is distinct from CVE-2019-0539 and CVE-2019-0567 [1].
Exploitation
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. To trigger the vulnerability, a user must visit a maliciously crafted webpage in Microsoft Edge. The attacker could host a website containing the malicious content, or could leverage compromised websites or ad networks to deliver the exploit. No additional privileges or user interaction beyond browsing is required beyond the initial visit [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. If the current user is logged on with administrative privileges, an attacker could take control of the affected system. This could lead to installation of programs, viewing, changing, or deleting data, or creating new accounts with full user rights [1][2].
Mitigation
Microsoft released a security update as part of the January 2019 Patch Tuesday (January 8, 2019) that addresses this vulnerability. Users should apply the update via Windows Update. ChakraCore users should update to version 1.11 or later, as Microsoft continued to provide security updates for ChakraCore 1.11 until March 2021 [3]. For Microsoft Edge, the update is included in the cumulative update for Windows 10. No known workarounds exist [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.5 | 1.11.5 |
Affected products
3- Range: ChakraCore
Patches
1d73c5f12d9c5CVE-2019-0568 Edge - Chakra: JIT: JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode just clears DisableImplicitFlags - Google, Inc.
1 file changed · +28 −8
lib/Runtime/Library/JsBuiltInEngineInterfaceExtensionObject.cpp+28 −8 modified@@ -100,6 +100,26 @@ namespace Js { return; } + + struct AutoRestoreFlags + { + ThreadContext * ctx; + ImplicitCallFlags savedImplicitCallFlags; + DisableImplicitFlags savedDisableImplicitFlags; + AutoRestoreFlags(ThreadContext *ctx, Js::ImplicitCallFlags implFlags, DisableImplicitFlags disableImplFlags) : + ctx(ctx), + savedImplicitCallFlags(implFlags), + savedDisableImplicitFlags(disableImplFlags) + { + ctx->ClearDisableImplicitFlags(); + } + + ~AutoRestoreFlags() + { + ctx->SetImplicitCallFlags((Js::ImplicitCallFlags)(savedImplicitCallFlags)); + ctx->SetDisableImplicitFlags((DisableImplicitFlags)savedDisableImplicitFlags); + } + }; try { EnsureJsBuiltInByteCode(scriptContext); @@ -138,19 +158,19 @@ namespace Js scriptContext->GetThreadContext()->SetNoJsReentrancy(false); #endif // Clear disable implicit call bit as initialization code doesn't have any side effect - Js::ImplicitCallFlags saveImplicitCallFlags = scriptContext->GetThreadContext()->GetImplicitCallFlags(); - scriptContext->GetThreadContext()->ClearDisableImplicitFlags(); - JavascriptFunction::CallRootFunctionInScript(functionGlobal, Js::Arguments(callInfo, args)); - scriptContext->GetThreadContext()->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags)); + { + AutoRestoreFlags autoRestoreFlags(scriptContext->GetThreadContext(), scriptContext->GetThreadContext()->GetImplicitCallFlags(), scriptContext->GetThreadContext()->GetDisableImplicitFlags()); + JavascriptFunction::CallRootFunctionInScript(functionGlobal, Js::Arguments(callInfo, args)); + } Js::ScriptFunction *functionBuiltins = scriptContext->GetLibrary()->CreateScriptFunction(jsBuiltInByteCode->GetNestedFunctionForExecution(0)); functionBuiltins->SetPrototype(scriptContext->GetLibrary()->nullValue); // Clear disable implicit call bit as initialization code doesn't have any side effect - saveImplicitCallFlags = scriptContext->GetThreadContext()->GetImplicitCallFlags(); - scriptContext->GetThreadContext()->ClearDisableImplicitFlags(); - JavascriptFunction::CallRootFunctionInScript(functionBuiltins, Js::Arguments(callInfo, args)); - scriptContext->GetThreadContext()->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags)); + { + AutoRestoreFlags autoRestoreFlags(scriptContext->GetThreadContext(), scriptContext->GetThreadContext()->GetImplicitCallFlags(), scriptContext->GetThreadContext()->GetDisableImplicitFlags()); + JavascriptFunction::CallRootFunctionInScript(functionBuiltins, Js::Arguments(callInfo, args)); + } InitializePrototypes(scriptContext); #if DBG_DUMP
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- www.exploit-db.com/exploits/46205/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-2m5h-6g38-jjf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0568ghsaADVISORY
- www.securityfocus.com/bid/106420mitrevdb-entryx_refsource_BID
- github.com/chakra-core/ChakraCore/commit/d73c5f12d9c5cbbf64f59ae04e76a531b3e844b3ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0568ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124231429/https://www.securityfocus.com/bid/106420ghsaWEB
- www.exploit-db.com/exploits/46205ghsaWEB
News mentions
0No linked articles in our index yet.