CVE-2020-17054: Out-of-bounds Write in ChakraCore
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.83786%
CWE
Published
8/2/2021
Updated
2/1/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Microsoft.ChakraCore | nuget | < 1.11.23 | 1.11.23 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The GitHub commit e81e8a5 shows the vulnerability was addressed by adding a null/validity check for 'inlineeFrameDisplaySym' before using it. The original code contained an assertion but lacked runtime validation, which would be removed in release builds. This created a scenario where an unallocated symbol could be used for memory operations, directly matching the CWE-787 (out-of-bounds write) description in the CVE.