VYPR
← All advisories
High severity7.5NVD Advisory· Published Oct 13, 2017· Updated May 13, 2026

CVE-2017-11801

CVE-2017-11801

Description

ChakraCore allows an attacker to execute arbitrary code in the context of the current user, due to how the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-11792, CVE-2017-11793, CVE-2017-11796, CVE-2017-11797, CVE-2017-11798, CVE-2017-11799, CVE-2017-11800, CVE-2017-11802, CVE-2017-11804, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808, CVE-2017-11809, CVE-2017-11810, CVE-2017-11811, CVE-2017-11812, and CVE-2017-11821.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.7.31.7.3

Affected products

2
  • Microsoft/Chakracore
    cpe:2.3:a:microsoft:chakracore:*:*:*:*:*:*:*:*
    Range: <=1.7.2
  • Microsoft Corporation/ChakraCorev5
    Range: ChakraCore

Patches

1
7b936e208e6a

[CVE-2017-11801] Out of bound read on deferred stub - Individual

https://github.com/chakra-core/ChakraCoreAneesh DivakarakurupSep 27, 2017via ghsa
commit
1 file changed · +3 2
  • lib/Runtime/Base/FunctionBody.cpp+3 2 modified
    @@ -1912,8 +1912,9 @@ namespace Js
     {
         Assert(pnodeFnc->nop == knopFncDecl);
 
-        Recycler *recycler = GetScriptContext()->GetRecycler();
-        this->SetDeferredStubs(BuildDeferredStubTree(pnodeFnc, recycler));
+        // TODO: Disabling the creation of deferred stubs for now. We need to rethink the design again as the current behavior
+        // is not usable with precise capturing.
+        this->SetDeferredStubs(nullptr);
     }
 
     FunctionInfoArray ParseableFunctionInfo::GetNestedFuncArray()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.