CVE-2018-0838
Description
A memory corruption vulnerability in Microsoft Edge and ChakraCore scripting engine allows remote code execution via crafted web content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in Microsoft Edge and ChakraCore scripting engine allows remote code execution via crafted web content.
Vulnerability
The vulnerability is a memory corruption issue in the scripting engine of Microsoft Edge and ChakraCore, affecting how objects are handled in memory. It exists in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016, as well as the open-source ChakraCore engine. The bug can be triggered when the scripting engine processes specially crafted JavaScript or other dynamic content in Edge or any application embedding ChakraCore [1][3].
Exploitation
An attacker can exploit this vulnerability by hosting a crafted website (or delivering content via other vectors such as email or instant messages) and convincing a user to visit it. No additional privileges or user interaction beyond browsing is required; the memory corruption is triggered at a specific code path in the scripting engine when parsing or executing the malicious script [2][3].
Impact
Successful exploitation allows remote code execution in the context of the current user. Depending on the user's privileges, an attacker could install programs, view/change/delete data, or create new accounts with full user rights. This could lead to complete compromise of the affected system [1][2].
Mitigation
Microsoft released security updates on February 13, 2018, as part of its monthly Patch Tuesday. Users should apply the update via Windows Update or other deployment methods. ChakraCore users are advised to update to the latest patched version. No workaround exists other than applying the fix [2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.1 | 1.8.1 |
Affected products
2- Microsoft Corporation/Microsoft Edge, ChakraCorev5Range: Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016.
Patches
1f82e7b4e5614ChakraCore fix for servicing release 18-02B: CVE-2018-0838
1 file changed · +23 −0
lib/Backend/GlobOpt.cpp+23 −0 modified@@ -15417,6 +15417,29 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr) } break; } + + case Js::OpCode::InitClass: + Assert(instr->GetSrc1()); + if (instr->GetSrc2() == nullptr) + { + // No extends operand, so the InitClass will not make something into a prototype + break; + } + + if(doNativeArrayTypeSpec) + { + // Class/object construction can make something a prototype + kills.SetKillsNativeArrays(); + } + break; + + case Js::OpCode::NewScObjectNoCtor: + if(doNativeArrayTypeSpec) + { + // Class/object construction can make something a prototype + kills.SetKillsNativeArrays(); + } + break; } return kills;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- www.exploit-db.com/exploits/44080/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-j762-mr2c-fmp9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0838ghsaADVISORY
- www.securityfocus.com/bid/102877mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040372mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/f82e7b4e561494a9ad79f2fe5c5aadcdf6ccce33ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0838ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124135716/http://www.securityfocus.com/bid/102877ghsaWEB
- web.archive.org/web/20211208072939/http://www.securitytracker.com/id/1040372ghsaWEB
- www.exploit-db.com/exploits/44080ghsaWEB
News mentions
0No linked articles in our index yet.