vendor:
Microsoft Edge
by:
Not provided
7.5
CVSS
HIGH
Type Confusion
Not provided
CWE
Product Name: Microsoft Edge
Affected Version From: Windows 10 Enterprise 64-bit (OS version 1607, OS build 14393.1198) and Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393
Affected Version To: Not provided
Patch Exists: Not provided
Related CWE: Not provided
CPE: Not provided
Platforms Tested: Windows 10 Enterprise 64-bit
Not provided
Type Confusion Vulnerability in Microsoft Edge
There is a type confusion vulnerability in Microsoft Edge. The crash happens inside CAttrArray::PrivateFindInl. Rcx (this) pointer is supposed to point to a CAttrArray but it actually points to a CAttribute. CAttrArray::PrivateFindInl is only going to perform reads and its return value is going to be discarded by the calling function (CAttrArray::SetParsed). However, the actual type confusion happens further down the stack (possibly inside CssParser::RecordProperty) and if CAttrArray::PrivateFindInl returns false (can be controlled by an attacker), then CAttrArray::Set is going to also be called with the wrong type, which might lead to more serious consequences.
Mitigation:
Mitigation or remediation for this vulnerability not provided