CVE-2018-0872
Description
Chakra scripting engine memory corruption in ChakraCore/Edge allows remote code execution via crafted content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chakra scripting engine memory corruption in ChakraCore/Edge allows remote code execution via crafted content.
Vulnerability
A memory corruption vulnerability exists in the Chakra scripting engine used by ChakraCore and Microsoft Edge. The engine improperly handles objects in memory, leading to exploitable corruption. Affected versions include Microsoft Edge on Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016, as well as ChakraCore prior to the security update [1][2].
Exploitation
An attacker can host a specially crafted website (or inject content into a compromised site) that triggers the memory corruption when visited in Microsoft Edge. No user interaction beyond browsing is required; the vulnerability can be exploited without authentication. The specific sequence involves crafting JavaScript that causes the Chakra engine to corrupt memory [3][4].
Impact
Successful exploitation allows remote code execution in the context of the current user. If the user has administrative privileges, the attacker can install programs, modify data, or create new accounts with full system access. The impact is complete compromise of confidentiality, integrity, and availability [1][3].
Mitigation
Microsoft released security updates on March 13, 2018, as part of Patch Tuesday. Applying the update for the affected Windows versions and ChakraCore (version 1.11) mitigates the issue. No workaround is available; users should ensure automatic updates are enabled. ChakraCore security updates continued until March 2021, but the engine is no longer used in Microsoft Edge [1][4].
- NVD - CVE-2018-0872
- Microsoft ChakraCore Scripting Engine CVE-2018-0872 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.2 | 1.8.2 |
Affected products
2- Microsoft Corporation/ChakraCore, Microsoft Edgev5Range: ChakraCore, Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016.
Patches
18b229ce07220[CVE-2018-0872] edge Array buffer UAF vulnerability
2 files changed · +14 −5
lib/Backend/GlobOpt.cpp+7 −2 modified@@ -13443,6 +13443,9 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef) return; } + const bool isLikelyVirtualTypedArray = baseValueType.IsLikelyOptimizedVirtualTypedArray(); + Assert(!(isLikelyJsArray && isLikelyVirtualTypedArray)); + ValueType newBaseValueType(baseValueType.ToDefiniteObject()); if(isLikelyJsArray && newBaseValueType.HasNoMissingValues() && !DoArrayMissingValueCheckHoist()) { @@ -13773,7 +13776,7 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef) { const JsArrayKills loopKills(loop->jsArrayKills); Value *baseValueInLoopLandingPad = nullptr; - if((isLikelyJsArray && loopKills.KillsValueType(newBaseValueType)) || + if(((isLikelyJsArray || isLikelyVirtualTypedArray) && loopKills.KillsValueType(newBaseValueType)) || !OptIsInvariant(baseOpnd->m_sym, currentBlock, loop, baseValue, true, true, &baseValueInLoopLandingPad) || !(doArrayChecks || baseValueInLoopLandingPad->GetValueInfo()->IsObject())) { @@ -17387,7 +17390,9 @@ GlobOpt::DoArrayCheckHoist(const ValueType baseValueType, Loop* loop, IR::Instr return false; } - if(!baseValueType.IsLikelyArrayOrObjectWithArray() || + // This includes typed arrays, but not virtual typed arrays, whose vtable can change if the buffer goes away. + // Note that in the virtual case the vtable check is the only way to catch this, since there's no bound check. + if(!(baseValueType.IsLikelyArrayOrObjectWithArray() || baseValueType.IsLikelyOptimizedVirtualTypedArray()) || (loop ? ImplicitCallFlagsAllowOpts(loop) : ImplicitCallFlagsAllowOpts(func))) { return true;
lib/Backend/GlobOpt.h+7 −3 modified@@ -332,12 +332,16 @@ class JsArrayKills public: bool KillsValueType(const ValueType valueType) const { - Assert(valueType.IsArrayOrObjectWithArray()); + Assert(valueType.IsArrayOrObjectWithArray() || valueType.IsOptimizedVirtualTypedArray()); return killsAllArrays || - (killsArraysWithNoMissingValues && valueType.HasNoMissingValues()) || - (killsNativeArrays && !valueType.HasVarElements()); + (valueType.IsArrayOrObjectWithArray() && + ( + (killsArraysWithNoMissingValues && valueType.HasNoMissingValues()) || + (killsNativeArrays && !valueType.HasVarElements()) + ) + ); } bool AreSubsetOf(const JsArrayKills &other) const
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-h9h7-4jfm-3fxrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0872ghsaADVISORY
- www.securityfocus.com/bid/103267mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040507mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/8b229ce07220eb81c81329566df9b01fea571d1aghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0872ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124144651/http://www.securityfocus.com/bid/103267ghsaWEB
- web.archive.org/web/20211026192005/http://www.securitytracker.com/id/1040507ghsaWEB
News mentions
0No linked articles in our index yet.