CVE-2019-0812
Description
Chakra scripting engine in Microsoft Edge has a memory corruption vulnerability due to improper type checking during property enumeration, allowing remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chakra scripting engine in Microsoft Edge has a memory corruption vulnerability due to improper type checking during property enumeration, allowing remote code execution.
Vulnerability
The vulnerability is a memory corruption issue in the Chakra scripting engine used by Microsoft Edge. It arises from improper type checking during property enumeration in the PropertyString handling, specifically when the type does not match typeToEnumerate. This can lead to accessing invalid memory. Affected versions include ChakraCore 1.11.x and Microsoft Edge prior to the April 2019 security updates [1]. The fix, as seen in commit 4cb3bbd, adds an additional condition to ensure the type matches before setting property cache info [3].
Exploitation
An attacker would need to host a malicious website containing specially crafted JavaScript that triggers the vulnerability in Microsoft Edge. The victim must visit this website, no additional privileges beyond user interaction are required. The exploit exploits the missing type check during property enumeration, causing memory corruption that can be leveraged to execute arbitrary code.
Impact
Successful exploitation allows remote code execution in the context of the current user. An attacker could gain the same user rights, potentially leading to full system compromise if the user has administrative privileges. The impact includes confidentiality, integrity, and availability loss.
Mitigation
Microsoft released a security update for Edge in April 2019 addressing this vulnerability. For ChakraCore, the fix is available in commit 4cb3bbd and is included in later updates. Users should apply the latest Edge updates or update ChakraCore to a patched version. No workaround is available, and the vendor recommends immediate patching.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.8 | 1.11.8 |
Affected products
3- Range: unspecified
Patches
12 files changed · +2 −2
lib/Runtime/Types/DictionaryTypeHandler.cpp+1 −1 modified@@ -139,7 +139,7 @@ namespace Js PropertyString* propertyString = scriptContext->GetPropertyString(*propertyId); *propertyStringName = propertyString; T dataSlot = descriptor.template GetDataPropertyIndex<false>(); - if (dataSlot != NoSlots && (attribs & PropertyWritable)) + if (dataSlot != NoSlots && (attribs & PropertyWritable) && type == typeToEnumerate) { PropertyValueInfo::SetCacheInfo(info, propertyString, propertyString->GetLdElemInlineCache(), false); SetPropertyValueInfo(info, instance, dataSlot, &descriptor);
lib/Runtime/Types/SimpleTypeHandler.cpp+1 −1 modified@@ -328,7 +328,7 @@ namespace Js *propertyStringName = propStr; PropertyValueInfo::SetCacheInfo(info, propStr, propStr->GetLdElemInlineCache(), false); - if ((attribs & PropertyWritable) == PropertyWritable) + if ((attribs & PropertyWritable) == PropertyWritable && type == typeToEnumerate) { PropertyValueInfo::Set(info, instance, index, attribs); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.