VYPR
← All advisories
High severity7.5NVD Advisory· Published May 12, 2017· Updated May 13, 2026

CVE-2017-0234

CVE-2017-0234

Description

A remote code execution vulnerability exists in Microsoft Edge in the way that the Chakra JavaScript engine renders when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This CVE ID is unique from CVE-2017-0224, CVE-2017-0228, CVE-2017-0229, CVE-2017-0230, CVE-2017-0235, CVE-2017-0236, and CVE-2017-0238.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Remote code execution in Microsoft Edge's Chakra engine due to aggressive bounds check removal for virtual typed arrays, allowing OOB memory access.

Vulnerability

A remote code execution vulnerability exists in the Chakra JavaScript engine used by Microsoft Edge. The issue lies in the GlobOpt::OptArraySrc function in the JIT compiler, where bounds checks for virtual typed arrays were too aggressively removed, allowing out-of-bounds memory access. This affects Microsoft Edge prior to the May 2017 security update and ChakraCore before commit a1345ad [1][4].

Exploitation

An attacker can host a crafted website containing specially crafted JavaScript that triggers the vulnerability when visited in Microsoft Edge. The attacker needs no authentication and the user only needs to visit the site. The vulnerability can be exploited without user interaction beyond normal browsing [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. This could lead to full compromise of the user's system, including data disclosure and installation of programs [1].

Mitigation

Microsoft released a security update in May 2017 as part of cumulative updates for Microsoft Edge. For ChakraCore, the fix was included in a servicing release on May 10, 2017 [2] and is incorporated in updates after commit a1345ad [4]. Users should apply the latest updates. ChakraCore security updates were provided until March 2021 [3].

References
  1. NVD - CVE-2017-0234
  2. 17-05 ChakraCore servicing release by rajatd · Pull Request #2959 · chakra-core/ChakraCore
  3. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
  4. [CVE-2017-0234] Too aggressive bound check removal · chakra-core/ChakraCore@a1345ad

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.4.41.4.4

Affected products

4
  • Microsoft/Edge2 versions
    cpe:2.3:a:microsoft:edge:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:microsoft:edge:*:*:*:*:*:*:*:*
    • (no CPE)
  • ghsa-coords
    pkg:nuget/microsoft.chakracore
    Range: < 1.4.4
  • Microsoft Corporation/Microsoft Edgev5
    Range: Windows 10 for 32-bit Systems, Windows 10 for x64-based Systems, Windows 10 Version 1511 for 32-bit Systems, Windows 10 Version 1511 for x64-based Systems, Windows 10 Version 1607 for 32-bit Systems, Windows 10 Version 1607 for x64-based Systems, Windows 10 Version 1703 for 32-bit Systems, and Windows 10 Version 1703 for x64-based Systems.

Patches

1
a1345ad48064

[CVE-2017-0234] Too aggressive bound check removal

https://github.com/chakra-core/ChakraCoreRajat DuaMay 8, 2017via ghsa
commit
1 file changed · +31 3
  • lib/Backend/GlobOpt.cpp+31 3 modified
    @@ -16338,9 +16338,37 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
             )
            )
         {
-            eliminatedLowerBoundCheck = true;
-            eliminatedUpperBoundCheck = true;
-            canBailOutOnArrayAccessHelperCall = false;
+            // Unless we're in asm.js (where it is guaranteed that virtual typed array accesses cannot read/write beyond 4GB),
+            // check the range of the index to make sure we won't access beyond the reserved memory beforing eliminating bounds
+            // checks in jitted code.
+            if (!GetIsAsmJSFunc())
+            {
+                IR::RegOpnd * idxOpnd = baseOwnerIndir->GetIndexOpnd();
+                if (idxOpnd)
+                {
+                    StackSym * idxSym = idxOpnd->m_sym->IsTypeSpec() ? idxOpnd->m_sym->GetVarEquivSym(nullptr) : idxOpnd->m_sym;
+                    Value * idxValue = FindValue(idxSym);
+                    IntConstantBounds idxConstantBounds;
+                    if (idxValue && idxValue->GetValueInfo()->TryGetIntConstantBounds(&idxConstantBounds))
+                    {
+                        BYTE indirScale = Lowerer::GetArrayIndirScale(baseValueType);
+                        int32 upperBound = idxConstantBounds.UpperBound();
+                        int32 lowerBound = idxConstantBounds.LowerBound();
+                        if (lowerBound >= 0 && ((static_cast<uint64>(upperBound) << indirScale) < MAX_ASMJS_ARRAYBUFFER_LENGTH))
+                        {
+                            eliminatedLowerBoundCheck = true;
+                            eliminatedUpperBoundCheck = true;
+                            canBailOutOnArrayAccessHelperCall = false;
+                        }
+                    }
+                }
+            }
+            else
+            {
+                eliminatedLowerBoundCheck = true;
+                eliminatedUpperBoundCheck = true;
+                canBailOutOnArrayAccessHelperCall = false;
+            }
         }
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.