CVE-2017-11792
Description
ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allow an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11793, CVE-2017-11796, CVE-2017-11798, CVE-2017-11799, CVE-2017-11800, CVE-2017-11801, CVE-2017-11802, CVE-2017-11804, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808, CVE-2017-11809, CVE-2017-11810, CVE-2017-11811, CVE-2017-11812, and CVE-2017-11821.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ChakraCore and Microsoft Edge on Windows 10 1703 are vulnerable to remote code execution due to memory corruption in the scripting engine, allowing an attacker to execute arbitrary code in the current user context.
Vulnerability
A memory corruption vulnerability exists in the scripting engine (ChakraCore) used by Microsoft Edge on Windows 10 version 1703. The issue arises from improper handling of objects in memory, leading to corruption that can be exploited. This affects ChakraCore and Microsoft Edge on Windows 10 1703, as well as earlier versions of Windows 10 with the Fall Creators Update not applied. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). [1][2]
Exploitation
An attacker can host a specially crafted website that, when visited by a user through Microsoft Edge or an application hosting the Edge WebBrowser control, triggers the memory corruption. No authentication or additional privileges are required. The user must simply visit the malicious site. The vulnerability can also be triggered via embedded content in Microsoft Office documents that use the scripting rendering engine. [2][4]
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. This can lead to complete compromise of the affected system, including installation of programs, viewing, changing, or deleting data, and creating new accounts with full user rights. The attacker gains the same privileges as the logged-on user. [1][2][4]
Mitigation
Microsoft released a security update on October 10, 2017, as part of the October 2017 Patch Tuesday. The update addresses this vulnerability and is included in KB4041676 for Windows 10 version 1703. Users should apply the update through Windows Update or by downloading the standalone package. For ChakraCore, a fix was committed on GitHub (pull request #3917). No workarounds are available; applying the update is the only mitigation. [2][3][4]
- NVD - CVE-2017-11792
- Microsoft Edge Scripting Engine CVE-2017-11792 Remote Memory Corruption Vulnerability
- 17-10 Security Update that addresses the following issues in ChakraCore by agarwal-sandeep · Pull Request #3917 · chakra-core/ChakraCore
- Microsoft Edge Object Memory Handling Flaws in Scripting Engine Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.7.3 | 1.7.3 |
Affected products
4- Microsoft Corporation/ChakraCore, Microsoft Edgev5Range: ChakraCore and Microsoft Windows 10 1703
Patches
14e319aa937ee[CVE-2017-11792] Partially initialized data in chakra JIT leads to OOB read/write in RPC - Internal
1 file changed · +1 −1
lib/JITClient/JITManager.cpp+1 −1 modified@@ -13,7 +13,7 @@ void * __RPC_USER midl_user_allocate( #endif size_t size) { - return (HeapAlloc(GetProcessHeap(), 0, size)); + return (HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size)); } void __RPC_USER midl_user_free(_Pre_maybenull_ _Post_invalid_ void * ptr)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11792nvdPatchVendor AdvisoryWEB
- www.securityfocus.com/bid/101078nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039529nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-8h76-7vc3-mj3vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-11792ghsaADVISORY
- github.com/chakra-core/ChakraCore/commit/4e319aa937eeb0c076411ac0fd644225753bcc72ghsaWEB
- github.com/chakra-core/ChakraCore/pull/3917ghsaWEB
- web.archive.org/web/20210124105224/http://www.securityfocus.com/bid/101078ghsaWEB
- web.archive.org/web/20210723180751/http://www.securitytracker.com/id/1039529ghsaWEB
News mentions
0No linked articles in our index yet.