Chakra Scripting Engine Memory Corruption Vulnerability

CVE-2020-17054 is a memory corruption vulnerability in the Chakra scripting engine, affecting Microsoft Edge (EdgeHTML-based) and ChakraCore. The root cause is a missing null check in the LowerLdFrameDisplay function, which can lead to accessing an uninitialized or freed stack symbol [1][3].

An attacker could host a specially crafted website that, when visited by a user, triggers the vulnerability. No user interaction beyond browsing is required; the vulnerability is triggered during script execution in the Chakra engine.

Successful exploitation could allow an attacker to execute arbitrary code in the context of the current user. If the user has administrative rights, the attacker could take control of the system, install programs, or view/change data.

Microsoft released a security update in November 2020 to address this vulnerability. Users should apply the update via Windows Update or by updating ChakraCore to the patched version [2]. The fix adds a null check before using the inlineeFrameDisplaySym symbol [3].