Full title: Microsoft Edge Chakra CFG Bypass With leafInterpreterFrame Vulnerability 
Category: dos / poc
Platform: windows
Chakra suffers from a CFG bypass with leafInterpreterFrame. Every JavaScript variable in Chakra (except a tagged int) is a pointer. From this pointer, using an arbitrary read, it is possible to follow a chain of pointers and end up with a pointer to the native stack. This allows disclosing the stack location and subsequently overwriting a return address on the stack leading to CFG bypass.

# 0day.today @ http://0day.today/