Microsoft Edge MSDCPDF Javascript addIcon type confusion vulnerability [CVE-2023-36887]

August 1, 2023 Luke Simmonds 1667 Views 0 Comments CVE-2023-36887, Cyber Security, Microsoft, Microsoft Edge 0 min read

CVE number = CVE-2023-36887

A memory corruption vulnerability exists in the Javascript implementation of the Acrobat-based PDF engine in Microsoft Edge 112.0.1722.58 and 114.0.1776.0 Canary.

A specially crafted PDF document can trigger type confusion vulnerability when manipulating icons, which could lead to writes to arbitrary memory and possibly code execution or other side effects.

Victim would need to open a malicious file in the browser to trigger this vulnerability.

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Microsoft Edge 112.0.1722.58
Microsoft Edge 114.0.1776.0 Canary

Luke Simmonds

Blogger at www.systemtek.co.uk

Microsoft Edge MSDCPDF Javascript addIcon type confusion vulnerability [CVE-2023-36887]

Like this:

Related Posts

Luke Simmonds

Leave a ReplyCancel reply

Share this:

Like this:

Related Posts

Luke Simmonds

Leave a ReplyCancel reply