Chakra Scripting Engine Memory Corruption Vulnerability
Description
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via crafted website, patched in June 2019.
CVE-2019-1002 is a remote code execution vulnerability in the Chakra scripting engine used by Microsoft Edge (HTML-based). The bug is a memory corruption issue that occurs when the engine improperly handles objects in memory, leading to exploitable memory corruption [1].
Exploitation requires an attacker to host a specially crafted website and convince a user to view it via Edge. This can be done through malicious websites or compromised sites hosting user content. No additional privileges are needed beyond the user's current context [1].
Successful exploitation allows arbitrary code execution in the user's context. If the user has administrative rights, the attacker can gain full system control, install programs, modify data, or create accounts [1].
Microsoft released a security update in June 2019 that addresses the vulnerability by modifying how Chakra handles objects in memory. Users should apply the update to mitigate the risk [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.10 | 1.11.10 |
Affected products
2- Range: 1.0..0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4v6q-gjm6-6vv4ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1002ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2019-1002ghsaADVISORY
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1002ghsaWEB
News mentions
0No linked articles in our index yet.