cbcvebase.
CVE-2017-11890
published 2017-12-12

CVE-2017-11890: Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709…

PriorityP268high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
49.40%
98.7th percentile
Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11907, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11914, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftchakracore< 1.7.51.7.5
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9

Detection & IOCsextracted from sources · hover to see the quote

processjscript!RegExpComp::Compile
commandvar s = 'a'; for(var i=0;i<N;i++) s+=s; new RegExp(s).compile(s);
  • Attack vector includes a specially crafted website loaded in Internet Explorer OR delivery via local network through WPAD (Web Proxy Auto-Discovery) — monitor for suspicious WPAD responses containing JavaScript with large RegExp patterns.
  • Attacker may embed a malicious ActiveX control marked 'safe for initialization' in an Office document or application hosting the IE rendering engine to trigger the vulnerability without browser interaction.
  • ·The exploit PoC (Exploit-DB 43369) targets CVE-2017-11890's sibling vulnerability in jscript.dll (RegExpComp::Compile heap overflow); the NVD DOC 1 description references CVE-2017-11889 (ChakraCore/Edge). Ensure detections are scoped to jscript.dll / Internet Explorer for CVE-2017-11890, not ChakraCore/Edge.
  • ·Microsoft's own advisory classifies exploit status as 'Exploitation More Likely' for both latest and older software releases, indicating active weaponization risk despite no confirmed in-the-wild exploitation at time of publication.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.