CVE-2018-0856
Description
A memory corruption vulnerability in the scripting engine of Microsoft Edge and ChakraCore allows remote code execution on Windows 10 1703 and 1709.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in the scripting engine of Microsoft Edge and ChakraCore allows remote code execution on Windows 10 1703 and 1709.
Vulnerability
CVE-2018-0856 is a memory corruption vulnerability in the scripting engine of Microsoft Edge and ChakraCore, present in Microsoft Windows 10 version 1703 and 1709. The issue occurs due to improper handling of objects in memory, allowing an attacker to corrupt memory in a way that can lead to arbitrary code execution [1][2][3]. Affected components include Microsoft Edge and ChakraCore on the specified Windows versions.
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website that triggers the memory corruption when viewed in Microsoft Edge. The attacker must convince the user to visit the malicious site, typically via email or a link. No authentication or special network position is required beyond the ability to serve web content [2][3].
Impact
Successful exploitation results in remote code execution in the context of the current user. The attacker can gain the same user rights as the logged-on user, potentially allowing installation of programs, modification of data, or creation of new accounts [1][2].
Mitigation
Microsoft released a security update on February 13, 2018, as part of the monthly Patch Tuesday rollout, addressing this vulnerability. Users should apply the update via Windows Update or by downloading the appropriate patch from the Microsoft Security Response Center [1][2]. For ChakraCore, the fix is included in the same update; the ChakraCore project continues to receive security updates until March 2021 [4]. No workarounds are available; applying the patch is the only mitigation.
- NVD - CVE-2018-0856
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
- Microsoft Edge Scripting Engine CVE-2018-0856 Remote Memory Corruption Vulnerability
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.1 | 1.8.1 |
Affected products
2- Microsoft Corporation/Microsoft Edge, ChakraCorev5Range: Microsoft Windows 10 1703 and 1709.
Patches
1385af842bce4ChakraCore fix for servicing release 18-02B: CVE-2018-0856
1 file changed · +5 −4
lib/Parser/Parse.cpp+5 −4 modified@@ -9515,10 +9515,6 @@ ParseNodePtr Parser::ParseVariableDeclaration( if (pnodeThis && pnodeThis->sxVar.pnodeInit != nullptr) { pnodeThis->sxVar.sym->PromoteAssignmentState(); - if (m_currentNodeFunc && pnodeThis->sxVar.sym->GetIsFormal()) - { - m_currentNodeFunc->sxFnc.SetHasAnyWriteToFormals(true); - } } } else if (declarationType == tkCONST /*pnodeThis->nop == knopConstDecl*/ @@ -9527,6 +9523,11 @@ ParseNodePtr Parser::ParseVariableDeclaration( { Error(ERRUninitializedConst); } + + if (m_currentNodeFunc && pnodeThis->sxVar.sym->GetIsFormal()) + { + m_currentNodeFunc->sxFnc.SetHasAnyWriteToFormals(true); + } } if (singleDefOnly)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-399v-jg88-3gx6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0856ghsaADVISORY
- www.securityfocus.com/bid/102880mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040372mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/385af842bce4f94ddef98553a81f8ea99c7e2dcfghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210125205300/http://www.securityfocus.com/bid/102880ghsaWEB
- web.archive.org/web/20211208072939/http://www.securitytracker.com/id/1040372ghsaWEB
News mentions
0No linked articles in our index yet.