Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 1)

This post (part one of a series) sets up a Windows/ChakraCore environment, explains Chakra/ChakraCore JavaScript object memory layouts (inlined properties, auxSlots, NaN-boxing), and performs a root-cause analysis of CVE-2019-0567—a JIT-induced type confusion triggered by InitProto/SetPrototype that forces a type transition and causes auxSlots pointer corruption. Using a Project Zero PoC and WinDbg, it shows how speculative JIT removes type checks, leading to an out-of-bounds write at object+0x10 and a subsequent crash when accessing properties, laying groundwork for turning the bug into read/write and eventual code execution (with CFG/ACG considerations) in later parts.