CVE-2020-1065
Description
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in ChakraCore due to memory corruption from improper handling of nested function scopes, allowing arbitrary code execution.
Root
Cause The vulnerability exists in the ChakraCore scripting engine's handling of nested function declarations within parameter scopes. A previous fix removed the body scope of an enclosing function when a nested function is declared in the param scope, leading to incorrect envIndex calculation for symbols captured from enclosing scopes. This memory corruption can be triggered without authentication [1][4].
Exploitation
An attacker can exploit this by crafting a malicious website that triggers the flawed scope handling. The vulnerability is accessible via the scripting engine's processing of JavaScript code, requiring no special privileges or user interaction beyond visiting the page [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the browser or application hosting ChakraCore. This could lead to full system compromise [1].
Mitigation
Microsoft has released a security update for ChakraCore version 1.11, with the fix included in the 2020.05B servicing release. Users are advised to update to the patched version. The fix ensures correct environment index calculation by marking parameter scopes as mustInstantiate=true when nested functions are present [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.19 | 1.11.19 |
Affected products
15- Microsoft/ChakraCorev5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for 32-bit Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for ARM64-based Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for x64-based Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for 32-bit Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for ARM64-based Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for x64-based Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for 32-bit Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for ARM64-based Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for x64-based Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1909 for 32-bit Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1909 for ARM64-based Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1909 for x64-based Systemsv5Range: unspecified
- Microsoft/Microsoft Edge (EdgeHTML-based) on Windows Server 2019v5Range: unspecified
Patches
1e245029151a5[CVE-2020-1065] A previous MSRC fix removes the body scope of an enclosing function when a nested function is declared in the param scope of that enclosing function. This an result in us calculating incorrect envIndex for any symbols captured from enclosing scopes if this skipped body scope appears in the frameDisplay being passed to the nested function. This fix addresses the issue by marking the parameter scope also as mustInstantiate = true so we end up computing the correct envIndex. This problem and the fix only triggers when the enclosing function's param and body scopes are merged so the param and body scopes will never appear together in the scope stack and as such will not mess up the envIndex.
1 file changed · +17 −0
lib/Runtime/ByteCode/ScopeInfo.cpp+17 −0 modified@@ -194,6 +194,23 @@ namespace Js ScopeInfo * scopeInfo = ScopeInfo::SaveScopeInfo(byteCodeGenerator, currentScope, byteCodeGenerator->GetScriptContext()); if (scopeInfo != nullptr) { + if (funcInfo->root->IsDeclaredInParamScope()) + { + FuncInfo* func = byteCodeGenerator->GetEnclosingFuncInfo(); + Assert(func); + + if (func->IsBodyAndParamScopeMerged()) + { + Assert(currentScope == func->GetParamScope() && currentScope->GetScopeType() == ScopeType_Parameter); + Assert(scopeInfo->GetScopeType() == ScopeType_Parameter); + Assert(func->GetBodyScope()); + + // If the current function is nested in the param scope of it's enclosing function we may have + // skipped the body scope and in may not be the scope stack but the body scope might still be + // in the frame display and we will need to account for it. See ByteCodeGenerateor::FindScopeForSym. + scopeInfo->mustInstantiate = func->GetBodyScope()->GetMustInstantiate(); + } + } funcInfo->byteCodeFunction->SetScopeInfo(scopeInfo); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9hjg-j983-mqccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1065ghsaADVISORY
- github.com/chakra-core/ChakraCore/commit/e245029151a5ee35cdcac13567ee11a168801ba3ghsaWEB
- github.com/chakra-core/ChakraCore/pull/6447ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1065ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.