Critical severity9.8NVD Advisory· Published Nov 2, 2017· Updated May 13, 2026

CVE-2017-11767

Description

ChakraCore allows an attacker to gain the same user rights as the current user, due to the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability".

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.ChakraCoreNuGet	< 1.6.2	1.6.2

Affected products

Microsoft Corporation/ChakraCorev5
Range: ChakraCore

Patches

b3e3959d1481

[CVE-2017-11767] Do not instantiate param scope if only the function expression symbol is captured

https://github.com/chakra-core/ChakraCoreAneesh DivakarakurupSep 6, 2017via ghsa

commit

2 files changed · +22 −1

lib/Runtime/ByteCode/ByteCodeEmitter.cpp+14 −1 modified

@@ -4219,7 +4219,20 @@ void ByteCodeGenerator::StartEmitFunction(ParseNode *pnodeFnc)
         {
             bodyScope->SetMustInstantiate(funcInfo->frameSlotsRegister != Js::Constants::NoRegister);
         }
-        paramScope->SetMustInstantiate(!pnodeFnc->sxFnc.IsBodyAndParamScopeMerged());
+
+        if (!pnodeFnc->sxFnc.IsBodyAndParamScopeMerged())
+        {
+            if (funcInfo->frameObjRegister != Js::Constants::NoRegister)
+            {
+                paramScope->SetMustInstantiate(true);
+            }
+            else
+            {
+                // In the case of function expression being captured in the param scope the hasownlocalinclosure will be false for param scope,
+                // as function expression symbol stays in the function expression scope. We don't have to set mustinstantiate for param scope in that case.
+                paramScope->SetMustInstantiate(paramScope->GetHasOwnLocalInClosure());
+            }
+        }
     }
     else
     {

test/es6/default-splitscope.js+8 −0 modified

@@ -186,6 +186,14 @@ var tests = [
         };
         f13();
 
+        var f14 = function f15(a = (function() {
+                return f15(1);
+            })()) {
+                with({}) {
+                };
+                return a === 1 ? 10 : a;
+        };
+        assert.areEqual(10, f14(), "Function expresison is captured in the param scope when no other formals are captured");
     }
  },
  {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.securityfocus.com/bid/100838nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1039369nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-c79v-2rjq-965mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-11767ghsaADVISORY
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11767nvdIssue TrackingVendor Advisory
github.com/chakra-core/ChakraCore/commit/b3e3959d14814f42ee2197c504c322bcbe12347dghsaWEB
github.com/chakra-core/ChakraCore/pull/3727ghsaWEB
github.com/chakra-core/ChakraCore/pull/3727/commits/b3e3959d14814f42ee2197c504c322bcbe12347dghsaWEB
msrc.microsoft.com/update-guide/en-US/advisory/CVE-2017-11767ghsaWEB
web.archive.org/web/20210124103810/http://www.securityfocus.com/bid/100838ghsaWEB
web.archive.org/web/20211127230635/http://www.securitytracker.com/id/1039369ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.014
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000