High severityNVD Advisory· Published Apr 9, 2019· Updated Aug 4, 2024

CVE-2019-0861

Description

A memory corruption vulnerability in Chakra scripting engine in Microsoft Edge allows remote code execution via crafted web content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in Chakra scripting engine in Microsoft Edge allows remote code execution via crafted web content.

Vulnerability

Description CVE-2019-0861 is a remote code execution vulnerability in the Chakra scripting engine used by Microsoft Edge. The bug is a memory corruption issue that occurs when the engine improperly handles objects in memory [1][2][3]. The vulnerability was discovered by Qixun Zhao of Qihoo 360 Vulcan Team [2].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website or by injecting malicious content into a legitimate site that a user visits with Edge. No additional privileges are needed beyond normal user interaction; simply visiting the malicious page triggers the flaw [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. If the user has administrative rights, the attacker can take full control of the system, install programs, view/change/delete data, or create new accounts [2][3].

Mitigation

Microsoft released a security update as part of its April 2019 Patch Tuesday to address this vulnerability [3]. For ChakraCore, a corresponding fix was merged via pull request #6087 [1]. Users should ensure their systems and applications are updated to the latest versions.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.ChakraCoreNuGet	< 1.11.8	1.11.8

Affected products

ghsa-coords
pkg:nuget/microsoft.chakracore
Range: < 1.11.8
Microsoft/Chakracorecpe-rescue
Range: unspecified
Microsoft/Edgecpe-rescue
Range: Windows 10 for 32-bit Systems

Patches

b481337f2ae6

CVE-2019-0861 Chakra JIT Type Confusion 2 14 for Edge Bounty

https://github.com/chakra-core/ChakraCorePaul LeathersMar 21, 2019via ghsa

commit

1 file changed · +5 −0

lib/Runtime/Language/JavascriptOperators.cpp+5 −0 modified

@@ -9582,6 +9582,11 @@ using namespace Js;
 
             Var result = CALL_ENTRYPOINT(threadContext, marshalledFunction->GetEntryPoint(), function, CallInfo(flags, 2), thisVar, putValue);
             Assert(result);
+
+            // Set implicit call flags so we bail out if we're trying to propagate the stored value forward. We can't count on the getter/setter
+            // to produce the stored value on a LdFld.
+            threadContext->AddImplicitCallFlags(ImplicitCall_Accessor);
+
             return nullptr;
         });
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qxmj-3c5h-546cghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-0861ghsaADVISORY
www.securityfocus.com/bid/107724mitrevdb-entryx_refsource_BID
github.com/chakra-core/ChakraCore/commit/b481337f2ae6e92efd919692c6691996947f49ecghsaWEB
github.com/chakra-core/ChakraCore/pull/6087ghsaWEB
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0861ghsax_refsource_MISCWEB
web.archive.org/web/20210125022152/http://www.securityfocus.com/bid/107724ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.008
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000