High severity7.5NVD Advisory· Published Dec 12, 2017· Updated May 13, 2026

CVE-2017-11914

Description

ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to gain the same user rights as the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11890, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11905, CVE-2017-11907, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.ChakraCoreNuGet	< 1.7.5	1.7.5

Affected products

Microsoft Corporation/ChakraCore, Microsoft Edgev5
Range: Windows 10 1511, 1607, 1703, 1709, and Windows Server 2016.
Microsoft/Edge
cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*
Microsoft/Chakracore
cpe:2.3:a:microsoft:chakracore:*:*:*:*:*:*:*:*
Range: <1.7.5

Patches

b48808827939

[CVE-2017-11914] JavascriptGeneratorFunction::GetPropertyBuiltIns exposes scriptFunction - Google, Inc.

https://github.com/chakra-core/ChakraCoreAneesh DivakarakurupDec 1, 2017via ghsa

commit

1 file changed · +1 −1

lib/Runtime/Library/JavascriptGeneratorFunction.cpp+1 −1 modified

@@ -307,7 +307,7 @@ namespace Js
             // to get the length from our private ScriptFunction instead of ourself.
             int len = 0;
             Var varLength;
-            if (scriptFunction->GetProperty(scriptFunction, PropertyIds::length, &varLength, NULL, requestContext))
+            if (scriptFunction->GetProperty(this, PropertyIds::length, &varLength, NULL, requestContext))
             {
                 len = JavascriptConversion::ToInt32(varLength, requestContext);
             }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11914nvdPatchVendor AdvisoryWEB
www.exploit-db.com/exploits/43713/nvdExploitThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/102088nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1039990nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-8r5c-8v97-g7vhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-11914ghsaADVISORY
github.com/chakra-core/ChakraCore/commit/b488088279391deaaacfce4f0756caaefc284109ghsaWEB
github.com/chakra-core/ChakraCore/pull/4411ghsaWEB
web.archive.org/web/20210124122728/http://www.securityfocus.com/bid/102088ghsaWEB
web.archive.org/web/20210829201729/http://www.securitytracker.com/id/1039990ghsaWEB
www.exploit-db.com/exploits/43713ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.059
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000