VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-k8jf-jm72-jkab

Essentials
Severities (13)
References (8)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-k8jf-jm72-jkab
Aliases	CVE-2019-0991 GHSA-6973-94v8-5mgw
Summary	Chakra Scripting Engine Out-of-bounds write A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-787	Out-of-bounds Write
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.01456	https://api.first.org/data/v1/epss?cve=CVE-2019-0991
cvssv3.1	7.5	https://github.com/chakra-core/ChakraCore
generic_textual	HIGH	https://github.com/chakra-core/ChakraCore
cvssv3.1	7.5	https://github.com/chakra-core/ChakraCore/commit/1caa4118796d33513bc40ce894c053a92de98abb
generic_textual	HIGH	https://github.com/chakra-core/ChakraCore/commit/1caa4118796d33513bc40ce894c053a92de98abb
cvssv3.1	7.5	https://github.com/chakra-core/ChakraCore/commit/3d6226cc2d1077537220361c82e34a362c6c76ee
generic_textual	HIGH	https://github.com/chakra-core/ChakraCore/commit/3d6226cc2d1077537220361c82e34a362c6c76ee
cvssv3.1	7.5	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0991
generic_textual	HIGH	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0991
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2019-0991
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2019-0991
cvssv3.1	7.5	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0991
generic_textual	HIGH	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0991

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2019-0991
		https://github.com/chakra-core/ChakraCore
		https://github.com/chakra-core/ChakraCore/commit/1caa4118796d33513bc40ce894c053a92de98abb
		https://github.com/chakra-core/ChakraCore/commit/3d6226cc2d1077537220361c82e34a362c6c76ee
CVE-2019-0991		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0991
CVE-2019-0991		https://nvd.nist.gov/vuln/detail/CVE-2019-0991
CVE-2019-0991		https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0991
GHSA-6973-94v8-5mgw		https://github.com/advisories/GHSA-6973-94v8-5mgw

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/chakra-core/ChakraCore

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/chakra-core/ChakraCore/commit/1caa4118796d33513bc40ce894c053a92de98abb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/chakra-core/ChakraCore/commit/3d6226cc2d1077537220361c82e34a362c6c76ee

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0991

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-0991

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0991

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.81163
EPSS Score	0.01456
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:20:58.076008+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Microsoft.ChakraCore/CVE-2019-0991.yml	38.6.0