cbcvebase.
CVE-2017-8636
published 2017-08-08

CVE-2017-8636: Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511…

PriorityP272high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
72.12%
99.4th percentile
Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.

Affected

8 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationmicrosoft_scripting_engine
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

commandlet args = new Array(0x10000); args = args.fill(0x1234).join(', '); eval('new Array(' + args + ')');
pathC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
pathC:\Windows\SYSTEM32\chakra.dll
pathC:\Windows\SYSTEM32\edgehtml.dll
  • CVE-2017-8636 is triggered via an integer overflow in the Chakra JIT EmitNew function: argCount is a 16-bit Js::ArgSlot, incremented past 0xFFFF wraps to 0, bypassing the OutOfMemory guard and leading to heap/stack buffer overflow in InterpreterStackFrame allocation.
  • PoC trigger pattern: constructing a JavaScript call/new expression with exactly 0x10000 (65536) arguments causes the 16-bit argCount to overflow to 0, bypassing the bounds check. Monitor for eval() calls constructing extremely large argument lists.
  • The crash manifests in chakra.dll at Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix with an access violation (code c0000005) on a write instruction — monitor for MicrosoftEdgeCP.exe crashing with second-chance AV in chakra.dll.
  • The overflow can force heap allocation of the InterpreterStackFrame (varAllocCount > InterpreterStackFrame::LocalsThreshold), enabling a heap buffer overflow rather than a stack overflow — the attacker controls allocation size via argument count.
  • A secondary NULL pointer dereference path exists: when spreadArgCount overflows to 0, spreadIndices is never initialized, and subsequent access to spreadIndices->elements[spreadIndex++] dereferences a null pointer in EmitArgs.
  • The root overflow occurs at pnode->sxCall.argCount increment: when argCount==0xFFFF, argCount++ wraps to 0, and the guard 'if (argCount != (Js::ArgSlot)argCount)' never fires because both sides are already the same 16-bit type.
  • ·Exploit requires convincing a user to visit a specially crafted website in Microsoft Edge, or embedding a malicious ActiveX control in an Office document or application hosting the scripting engine.
  • ·Exploitation likelihood is rated 'More Likely' for both latest and older software releases per Microsoft's assessment; however, Microsoft's advisory states the vulnerability has not been publicly exploited at time of publication.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.