VYPR
← All advisories
High severityNVD Advisory· Published Mar 12, 2020· Updated Aug 4, 2024

CVE-2020-0828

CVE-2020-0828

Description

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0848.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ChakraCore memory corruption remote code execution vulnerability in object handling, attackable via malicious web content.

Vulnerability

Overview

CVE-2020-0828 is a remote code execution vulnerability in the ChakraCore scripting engine, which is used by Microsoft Edge and other applications. The flaw stems from the way ChakraCore handles objects in memory, leading to memory corruption when processing specially crafted web content [1]. This vulnerability is part of a group of similar scripting engine flaws disclosed in March 2020 [1].

Exploitation

Exploitation requires an attacker to host a malicious website or inject content into an existing one. The victim must then visit that page using a browser that relies on ChakraCore, such as legacy Microsoft Edge. No special authentication is needed; the attack works over the network by tricking the user into browsing to the malicious site [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user is logged in with administrative privileges, the attacker could then install programs, view/change/delete data, or create new accounts with full user rights [1]. The impact is system compromise and potential lateral movement within an organization.

Mitigation

Microsoft released security updates addressing this vulnerability on March 10, 2020 [1]. Users should apply the latest updates for affected Microsoft Edge installations or update ChakraCore NuGet packages. There are no workarounds; patching is essential. The flaw was not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date, but given the prevalence of scripting engine exploits, immediate patching is recommended.

References
  1. NVD - CVE-2020-0828

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.11.171.11.17

Affected products

23
  • ghsa-coords
    pkg:nuget/microsoft.chakracore
    Range: < 1.11.17
  • Microsoft/ChakraCorev5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for ARM64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for ARM64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for ARM64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for ARM64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1909 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1909 for ARM64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1909 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows Server 2016v5
    Range: unspecified
  • Microsoft/Microsoft Edge (EdgeHTML-based) on Windows Server 2019v5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.