VYPR
← All advisories
High severityNVD Advisory· Published Feb 15, 2018· Updated Sep 16, 2024

CVE-2018-0857

CVE-2018-0857

Description

Microsoft Edge and ChakraCore suffer from a scripting engine memory corruption vulnerability that allows remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Microsoft Edge and ChakraCore suffer from a scripting engine memory corruption vulnerability that allows remote code execution.

Vulnerability

A memory corruption vulnerability exists in the scripting engine of Microsoft Edge and ChakraCore on Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016. The flaw occurs when the scripting engine mishandles objects in memory, leading to corruption. This affects all versions of Edge on those platforms and the associated ChakraCore engine as referenced in [2] and [3].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website and convincing a user to visit it (e.g., via email or instant message). No authentication or special privileges are required; the user only needs to browse the malicious site in Edge. The scripting engine's handling of the crafted content triggers the memory corruption as described in [1] and [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. This can lead to full compromise of the affected system, including installation of programs, viewing/changing/deleting data, or creating new accounts with full user rights as stated in the vendor advisory [1].

Mitigation

Microsoft issued a security update on February 13, 2018, which fixes the vulnerability. Users should apply the update via Windows Update or obtain it from the Microsoft Security Response Center. ChakraCore users are advised to update to the latest patched version. A fix is available per references [2] and [3].

References
  1. NVD - CVE-2018-0857
  2. Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
  3. Microsoft Edge Scripting Engine CVE-2018-0857 Remote Memory Corruption Vulnerability

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.8.11.8.1

Affected products

2
  • ghsa-coords
    pkg:nuget/microsoft.chakracore
    Range: < 1.8.1
  • Microsoft Corporation/Microsoft Edge, ChakraCorev5
    Range: Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016.

Patches

1
6f4265c3db2a

ChakraCore fix for servicing release 18-02B: CVE-2018-0857

https://github.com/chakra-core/ChakraCoreMichael FerrisDec 15, 2017via ghsa
commit
2 files changed · +10 2
  • lib/Backend/Inline.cpp+9 2 modified
    @@ -292,6 +292,7 @@ Inline::Optimize(Func *func, __in_ecount_opt(callerArgOutCount) IR::Instr *calle
                             break;
                         }
 
+                        bool hasDstUsedBuiltInReturnType = false;
                         if(!inlineeData->HasBody())
                         {
                             Assert(builtInInlineCandidateOpCode != 0);
@@ -303,11 +304,12 @@ Inline::Optimize(Func *func, __in_ecount_opt(callerArgOutCount) IR::Instr *calle
                                 break;
                             }
 
-                            // This built-in function is going to be inlined, so reset the destination's value type
+                            // This built-in function should be inlined, so reset the destination's value type
                             if(!builtInReturnType.IsUninitialized())
                             {
                                 if(instr->GetDst())
                                 {
+                                    hasDstUsedBuiltInReturnType = true;
                                     instr->GetDst()->SetValueType(builtInReturnType);
                                     if(builtInReturnType.IsDefinite())
                                     {
@@ -367,7 +369,12 @@ Inline::Optimize(Func *func, __in_ecount_opt(callerArgOutCount) IR::Instr *calle
                         instrNext = builtInInlineCandidateOpCode != 0 ?
                             this->InlineBuiltInFunction(instr, inlineeData, builtInInlineCandidateOpCode, inlinerData, symThis, &isInlined, profileId, recursiveInlineDepth) :
                             this->InlineScriptFunction(instr, inlineeData, symThis, profileId, &isInlined, recursiveInlineDepth);
-
+                         if (!isInlined && hasDstUsedBuiltInReturnType)
+                        {
+                            // We haven't actually inlined the builtin, we need to revert the value type to likely
+                            instr->GetDst()->UnsetValueTypeFixed();
+                            instr->GetDst()->SetValueType(instr->GetDst()->GetValueType().ToLikely());
+                        }
                     }
                     if(++this->inlineesProcessed == inlinerData->GetInlineeCount())
                     {
  • lib/Backend/Opnd.h+1 0 modified
    @@ -274,6 +274,7 @@ class Opnd
 
     bool                IsValueTypeFixed() const { return m_isValueTypeFixed; }
     void                SetValueTypeFixed() { m_isValueTypeFixed = true; }
+    void                UnsetValueTypeFixed() { m_isValueTypeFixed = false; }
     IR::RegOpnd *       FindRegUse(IR::RegOpnd *regOpnd);
     bool                IsArgumentsObject();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.