VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 6, 2019· Updated Aug 4, 2024

CVE-2019-0648

CVE-2019-0648

Description

An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user's computer or data.To exploit the vulnerability, an attacker must know the memory address of where the object was created.The update addresses the vulnerability by changing the way certain functions handle objects in memory, aka Scripting Engine Information Disclosure Vulnerability. This CVE ID is unique from CVE-2019-0658.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Chakra improperly discloses memory contents, allowing information leakage that could aid further compromise.

Vulnerability

An information disclosure vulnerability exists in the Chakra scripting engine (used in Microsoft Edge and as the standalone ChakraCore) when it improperly discloses the contents of its memory. The bug occurs due to a failure to enforce that both the param and body scope require either a scope object or a scope slot in Scope::SetIsObject(). Affected versions include all Microsoft Edge builds on Windows 10 (32-bit and x64-based Systems) and ChakraCore before the February 2019 security update. This CVE is distinct from CVE-2019-0658 [1][2][4].

Exploitation

To exploit this vulnerability, an attacker must know the memory address of where the object was created. The attack is remote and requires no local access; an attacker would need to host a specially crafted webpage and convince a user to visit it (via email or web link). Once the page is rendered by the affected Chakra engine, the engine may inadvertently read memory outside the bounds of the targeted object, leaking sensitive data [1][2].

Impact

A successful exploit allows an attacker to read portions of the script engine's memory, potentially obtaining information that could be used to further compromise the user's computer or data. The impact is primarily a breach of confidentiality, as the attacker gains insight into memory layout and content but does not directly achieve code execution or privilege escalation [1].

Mitigation

Microsoft released a security update on February 12, 2019, which addressed the vulnerability by modifying how certain functions handle objects in memory. For Microsoft Edge, the fix was delivered via Windows Update. For ChakraCore, the fix is included in the commit referenced in pull request #5936 [4]. Users should apply the latest updates from Microsoft, and ChakraCore users should upgrade to the patched version. No workaround is available. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][4].

References
  1. NVD - CVE-2019-0648
  2. Microsoft Edge CVE-2019-0648 Information Disclosure Vulnerability
  3. February 2019 Security Update by MikeHolman · Pull Request #5936 · chakra-core/ChakraCore

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.11.61.11.6

Affected products

3

Patches

1
1a7790f873b1

[CVE-2019-0648] Edge - ChakraCore OOB read - Individual

https://github.com/chakra-core/ChakraCoreMichael HolmanJan 22, 2019via ghsa
commit
1 file changed · +11 20
  • lib/Parser/RegexParser.cpp+11 20 modified
    @@ -2493,32 +2493,23 @@ namespace UnifiedRegex
             case 'W':
                 return false;
             case 'c':
-                if (standardEncodedChars->IsLetter(ECLookahead())) // terminating 0 is not a letter
+                if (!standardEncodedChars->IsLetter(ECLookahead())) //Letter set [A-Z, a-z]
+                {
+                    // Fail in unicode mode for non-letter escaped control characters according to 262 Annex-B RegExp grammar spec #prod-annexB-Term 
+                    DeferredFailIfUnicode(JSERR_RegExpInvalidEscape);
+                }
+
+                if (standardEncodedChars->IsWord(ECLookahead())) // word set [A-Z,a-z,0-9,_], terminating 0 is not a word character
                 {
                     singleton = UTC(Chars<EncodedChar>::CTU(ECLookahead()) % 32);
                     ECConsume();
                 }
                 else
                 {
-                    DeferredFailIfUnicode(JSERR_RegExpInvalidEscape); // Fail in unicode mode for non-letter escaped control characters according to 262 Annex-B RegExp grammar spec #prod-annexB-Term
-
-                    if (!IsEOF())
-                    {
-                        EncodedChar ecLookahead = ECLookahead();
-                        switch (ecLookahead)
-                        {
-                        case '-':
-                        case ']':
-                            singleton = c;
-                            break;
-                        default:
-                            singleton = UTC(Chars<EncodedChar>::CTU(ecLookahead) % 32);
-                            ECConsume();
-                            break;
-                        }
-                    }
-                    else
-                        singleton = c;
+                    // If the lookahead is a non-alphanumeric and not an underscore ('_'), then treat '\' and 'c' separately.
+                    //#sec-regular-expression-patterns-semantics 
+                    ECRevert(1); //Put cursor back at 'c' and treat it as a non-escaped character.
+                    singleton = '\\';
                 }
                 return true;
             case 'x':

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.