CVE-2018-0860
Description
A remote code execution vulnerability in ChakraCore and Microsoft Edge due to memory corruption in the scripting engine.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in ChakraCore and Microsoft Edge due to memory corruption in the scripting engine.
Vulnerability
The scripting engine in Microsoft Edge and ChakraCore mishandles objects in memory, leading to a memory corruption vulnerability (CVE-2018-0860). This affects Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016. All versions of Edge and ChakraCore up to the February 2018 security update are affected [1][2].
Exploitation
An attacker can host a specially crafted website that, when visited by a user using Microsoft Edge, triggers the memory corruption. Successful exploitation requires no authentication or user interaction beyond browsing the malicious page. The vulnerability is remotely exploitable over the network [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. This can lead to complete compromise of the affected system, including the ability to install programs, view, change, or delete data, or create new accounts with full user rights [1][2].
Mitigation
Microsoft released a security update on February 13, 2018, as part of Patch Tuesday, which addresses this vulnerability. Users should apply the update via Windows Update or the Microsoft Update Catalog. ChakraCore users should update to version 1.11 or later, which includes the fix. As of this writing, the vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog [2][3][4].
- NVD - CVE-2018-0860
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
- Microsoft Edge Scripting Engine CVE-2018-0860 Remote Memory Corruption Vulnerability
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.1 | 1.8.1 |
Affected products
2- Microsoft Corporation/Microsoft Edge, ChakraCorev5Range: Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016.
Patches
19dac38fa6a62ChakraCore fix for servicing release 18-02B: CVE-2018-0860
1 file changed · +20 −6
lib/Runtime/Base/ThreadContext.h+20 −6 modified@@ -1588,10 +1588,6 @@ class ThreadContext sealed : template <class Fn> inline Js::Var ExecuteImplicitCall(Js::RecyclableObject * function, Js::ImplicitCallFlags flags, Fn implicitCall) { - // For now, we will not allow Function that is marked as HasNoSideEffect to be called, and we will just bailout. - // These function may still throw exceptions, so we will need to add checks with RecordImplicitException - // so that we don't throw exception when disableImplicitCall is set before we allow these function to be called - // as an optimization. (These functions are valueOf and toString calls for built-in non primitive types) Js::FunctionInfo::Attributes attributes = Js::FunctionInfo::GetAttributes(function); @@ -1601,7 +1597,16 @@ class ThreadContext sealed : { // Has no side effect means the function does not change global value or // will check for implicit call flags - return implicitCall(); + Js::Var result = implicitCall(); + + // If the value is on stack we need to bailout so that it can be boxed. + // Instead of putting this in valueOf (or other builtins which have no side effect) adding + // the check here to cover any other scenario we might miss. + if (IsOnStack(result)) + { + AddImplicitCallFlags(flags); + } + return result; } // Don't call the implicit call if disable implicit call @@ -1617,7 +1622,16 @@ class ThreadContext sealed : { // Has no side effect means the function does not change global value or // will check for implicit call flags - return implicitCall(); + Js::Var result = implicitCall(); + + // If the value is on stack we need to bailout so that it can be boxed. + // Instead of putting this in valueOf (or other builtins which have no side effect) adding + // the check here to cover any other scenario we might miss. + if (IsOnStack(result)) + { + AddImplicitCallFlags(flags); + } + return result; } // Save and restore implicit flags around the implicit call
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- www.exploit-db.com/exploits/44076/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-v3xp-3wpq-rvhpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0860ghsaADVISORY
- www.securityfocus.com/bid/102883mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040372mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/9dac38fa6a6273f4cd57234d3caf4c7033e527bcghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0860ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124135855/http://www.securityfocus.com/bid/102883ghsaWEB
- web.archive.org/web/20210922050621/http://www.securitytracker.com/id/1040372ghsaWEB
- www.exploit-db.com/exploits/44076ghsaWEB
News mentions
0No linked articles in our index yet.