VYPR
← All advisories
High severityNVD Advisory· Published Feb 15, 2018· Updated Sep 17, 2024

CVE-2018-0837

CVE-2018-0837

Description

CVE-2018-0837 is a memory corruption vulnerability in Microsoft Edge and ChakraCore that allows remote code execution via crafted web content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2018-0837 is a memory corruption vulnerability in Microsoft Edge and ChakraCore that allows remote code execution via crafted web content.

Vulnerability

CVE-2018-0837 is a memory corruption vulnerability in the ChakraCore scripting engine used by Microsoft Edge. The flaw arises from improper handling of objects in memory, leading to a remote code execution (RCE) scenario. Affected products include Microsoft Edge on Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016, as well as the standalone ChakraCore library [1][2][3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious web page that leverages the scripting engine memory corruption. No additional authentication or special privileges are required; the victim must only visit the attacker-controlled page using an affected browser or application. The bug was reported by Lokihardt of Google Project Zero [2][3].

Impact

Successful exploitation enables an attacker to execute arbitrary code in the context of the current user, potentially leading to full system compromise—including data theft, installation of programs, or creation of new accounts with user-level permissions [1][2].

Mitigation

Microsoft released a security update on February 13, 2018 as part of the February 2018 Patch Tuesday, addressing the vulnerability for all affected Windows versions. Users should apply the latest Windows updates promptly. ChakraCore 1.11 is the last feature release; it received security patches until March 9, 2021, after which no further updates are provided [1][2][4].

References
  1. NVD - CVE-2018-0837
  2. Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
  3. Microsoft Edge Scripting Engine CVE-2018-0837 Remote Memory Corruption Vulnerability
  4. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.8.11.8.1

Affected products

2
  • ghsa-coords
    pkg:nuget/microsoft.chakracore
    Range: < 1.8.1
  • Microsoft Corporation/Microsoft Edge, ChakraCorev5
    Range: Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016.

Patches

1
043257b7d47a

ChakraCore fix for servicing release 18-02B: CVE-2018-0837

https://github.com/chakra-core/ChakraCorePaul LeathersJan 3, 2018via ghsa
commit
1 file changed · +1 1
  • lib/Backend/GlobOpt.cpp+1 1 modified
    @@ -5191,7 +5191,7 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
         if (!PHASE_OFF(Js::OptTagChecksPhase, this->func) &&
             (src1ValueInfo == nullptr || src1ValueInfo->IsUninitialized()))
         {
-            return this->NewGenericValue(ValueType::GetObject(ObjectType::Object), dst);
+            return this->NewGenericValue(ValueType::GetObject(ObjectType::Object).ToLikely().SetCanBeTaggedValue(false), dst);
         }
         break;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.