CVE-2018-0859
Description
A memory corruption vulnerability in Microsoft Edge and ChakraCore allows remote code execution via crafted web content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in Microsoft Edge and ChakraCore allows remote code execution via crafted web content.
Vulnerability
CVE-2018-0859 is a memory corruption vulnerability in the scripting engine of Microsoft Edge and ChakraCore, caused by improper handling of objects in memory [1]. The flaw affects Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 [1]. All versions of Edge and ChakraCore on these platforms are vulnerable [4].
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website that, when visited by a target user, triggers memory corruption in the scripting engine [2]. No additional authentication or user interaction beyond browsing the malicious page is required [2]. The attacker must convince the user to navigate to the site, typically via email or social engineering.
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user [2]. If the user has administrative privileges, the attacker can gain full control of the system, install programs, view/change/delete data, or create new accounts [2]. The vulnerability is rated as critical with a CVSS score of 7.5 (High) [1].
Mitigation
Microsoft released security updates on February 13, 2018, as part of the February 2018 Patch Tuesday [2]. Users should apply the latest Windows updates immediately. For ChakraCore standalone, the fix is available in commit 8a2c3730f9fd775380dc8226dbf3a697c691b73d [3]. No workarounds are documented; the only mitigation is to install the updates [4].
- NVD - CVE-2018-0859
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
- ChakraCore fix for servicing release 18-02B: CVE-2018-0859 · chakra-core/ChakraCore@8a2c373
- Microsoft Edge Scripting Engine CVE-2018-0859 Remote Memory Corruption Vulnerability
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.1 | 1.8.1 |
Affected products
2- Microsoft Corporation/Microsoft Edge, ChakraCorev5Range: Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016.
Patches
18a2c3730f9fdChakraCore fix for servicing release 18-02B: CVE-2018-0859
1 file changed · +1 −1
lib/Runtime/Language/InterpreterStackFrame.h+1 −1 modified@@ -822,7 +822,7 @@ namespace Js { interpreterFrame->returnAddress = returnAddress; // Ensure these are set before pushing to interpreter frame list interpreterFrame->addressOfReturnAddress = addressOfReturnAddress; - if (interpreterFrame->GetFunctionBody()->GetIsAsmJsFunction()) + if (interpreterFrame->GetFunctionBody()->GetIsAsmjsMode()) { m_isHiddenFrame = true; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-9pvj-pgg9-pvqqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0859ghsaADVISORY
- www.securityfocus.com/bid/102882mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040372mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/8a2c3730f9fd775380dc8226dbf3a697c691b73dghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0859ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124135852/http://www.securityfocus.com/bid/102882ghsaWEB
- web.archive.org/web/20211208072939/http://www.securitytracker.com/id/1040372ghsaWEB
News mentions
0No linked articles in our index yet.