CVE-2018-0834
Description
A memory corruption vulnerability in Microsoft Edge's ChakraCore engine allows remote code execution when visiting a malicious website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in Microsoft Edge's ChakraCore engine allows remote code execution when visiting a malicious website.
Vulnerability
The vulnerability is a memory corruption issue in the ChakraCore scripting engine used by Microsoft Edge. It affects Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 [1][3]. The scripting engine mishandles objects in memory, leading to exploitable corruption.
Exploitation
An attacker can host a specially crafted website that, when visited by a victim using Microsoft Edge, triggers the memory corruption. No additional authentication or user interaction beyond visiting the page is required [2].
Impact
Successful exploitation allows remote code execution in the context of the current user. The attacker can gain the same user rights as the victim, potentially installing programs, viewing/editing data, or creating new accounts [1][2].
Mitigation
Microsoft released a security update as part of the February 2018 Patch Tuesday (KB4074588 for Windows 10 and Windows Server 2016) [2]. For ChakraCore, security updates were provided until March 9, 2021 [4]. Users should apply the latest Windows updates and ensure ChakraCore is updated accordingly.
- NVD - CVE-2018-0834
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
- Microsoft Edge Scripting Engine CVE-2018-0834 Remote Memory Corruption Vulnerability
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.1 | 1.8.1 |
Affected products
2- Microsoft Corporation/Microsoft Edge, ChakraCorev5Range: Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016.
Patches
16cd503299eacChakraCore fix for servicing release 18-02B: CVE-2018-0834
1 file changed · +18 −0
lib/Backend/GlobOpt.cpp+18 −0 modified@@ -15399,6 +15399,24 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr) } break; } + + case Js::OpCode::InitProto: + { + // Find the 'this' parameter and check if it's possible for it to be an array + IR::Opnd *const arrayOpnd = instr->GetSrc1(); + Assert(arrayOpnd); + const ValueType arrayValueType(arrayOpnd->GetValueType()); + if(!arrayOpnd->IsRegOpnd() || (useValueTypes && arrayValueType.IsNotArrayOrObjectWithArray())) + { + break; + } + + if(doNativeArrayTypeSpec && !(useValueTypes && arrayValueType.IsNotNativeArray())) + { + kills.SetKillsNativeArrays(); + } + break; + } } return kills;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- www.exploit-db.com/exploits/44078/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-5j48-826p-2w9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0834ghsaADVISORY
- www.securityfocus.com/bid/102859mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040372mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/6cd503299eac4a5b5ffc0c5bb0d072861f60e183ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0834ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124135628/http://www.securityfocus.com/bid/102859ghsaWEB
- web.archive.org/web/20211208072939/http://www.securitytracker.com/id/1040372ghsaWEB
- www.exploit-db.com/exploits/44078ghsaWEB
News mentions
0No linked articles in our index yet.