High severity7.5NVD Advisory· Published Dec 12, 2017· Updated May 13, 2026

CVE-2017-11911

Description

ChakraCore and Windows 10 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11890, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11905, CVE-2017-11907, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11912, CVE-2017-11913, CVE-2017-11914, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.ChakraCoreNuGet	< 1.7.5	1.7.5

Affected products

Microsoft Corporation/ChakraCore, Microsoft Edgev5
Range: ChakraCore and Windows 10 1511, 1607, 1703, 1709, and Windows Server 2016.
Microsoft/Edge
cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*
Microsoft/Chakracore
cpe:2.3:a:microsoft:chakracore:*:*:*:*:*:*:*:*
Range: <1.7.5

Patches

a5d6be626305

[CVE-2017-11911] OOB read in asm.js - Google, Inc.

https://github.com/chakra-core/ChakraCoreMichael HolmanNov 14, 2017via ghsa

commit

1 file changed · +8 −0

lib/Runtime/Language/AsmJsModule.cpp+8 −0 modified

@@ -839,6 +839,7 @@ namespace Js
         AsmJsSIMDValue simdValue;
         simdValue.Zero();
         // define all variables
+        BVSparse<ArenaAllocator> initializerBV(&mAllocator);
         while (pnode->nop == knopList)
         {
             ParseNode * varNode = ParserWrapper::GetBinaryLeft(pnode);
@@ -932,6 +933,12 @@ namespace Js
                 {
                     return Fail(decl, _u("Failed to define var"));
                 }
+                // If we are declaring a var that we previously used in an initializer, that value will be undefined
+                // so we need to throw an error.
+                if (initializerBV.Test(var->GetName()->GetPropertyId()))
+                {
+                    return Fail(decl, _u("Cannot declare a var after using it in an initializer"));
+                }
                 RegSlot loc = Constants::NoRegister;
                 if (pnodeInit->nop == knopInt)
                 {
@@ -970,6 +977,7 @@ namespace Js
                     if (declSym->GetSymbolType() == AsmJsSymbol::Variable)
                     {
                         AsmJsVar * definition = declSym->Cast<AsmJsVar>();
+                        initializerBV.Set(definition->GetName()->GetPropertyId());
                         switch (definition->GetVarType().which())
                         {
                         case AsmJsVarType::Double:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11911nvdPatchVendor AdvisoryWEB
www.exploit-db.com/exploits/43468/nvdExploitThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/102087nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1039990nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-qfcq-4vv7-9mq7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-11911ghsaADVISORY
github.com/chakra-core/ChakraCore/commit/a5d6be626305671166f21db359c1c06a3a372b8bghsaWEB
github.com/chakra-core/ChakraCore/pull/4411ghsaWEB
web.archive.org/web/20210124122722/http://www.securityfocus.com/bid/102087ghsaWEB
web.archive.org/web/20210829201729/http://www.securitytracker.com/id/1039990ghsaWEB
www.exploit-db.com/exploits/43468ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.059
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000