cbcvebase.
CVE-2017-8601
published 2017-07-11

CVE-2017-8601: Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the…

PriorityP179high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.91%
99.2th percentile
Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user when the JavaScript engine fails to render when handling objects in memory in Microsoft Edge, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8596, CVE-2017-8610, CVE-2017-8618, CVE-2017-8619, CVE-2017-8603, CVE-2017-8604, CVE-2017-8605, CVE-2017-8606, CVE-2017-8607, CVE-2017-8608, CVE-2017-8598 and CVE-2017-8609.

Affected

13 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationwindows_10_1703
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

versionMicrosoft Edge 40.15063.0.0
  • Look for JavaScript abuse of TypedArray setters combined with JIT-optimized float array writes — the PoC uses a Uint32Array setter callback to swap a float array element to an object, triggering type confusion in Chakra's JIT compiler.
  • The vulnerability is triggered via a specially crafted website or an ActiveX control marked 'safe for initialization' embedded in an Office document — monitor for suspicious ActiveX instantiation in Office alongside Edge/IE script execution.
  • The root cause is incorrect JIT optimization in Chakra's handling of TypedArray setter interactions with float arrays — flag JIT-compiled code paths in ChakraCore/Edge that involve mixed TypedArray and float array writes in tight loops.
  • ·Exploit status at time of advisory was 'Publicly Disclosed: No; Exploited: No' but rated 'Exploitation More Likely' for the latest software release — patch priority should be high.
  • ·The vulnerability affects the Microsoft Scripting Engine (Chakra) across Microsoft Edge on Windows 10 Gold, 1511, 1607, 1703 and Windows Server 2016; scope is limited to those platforms.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.