VYPR
← All advisories
High severityNVD Advisory· Published Mar 14, 2018· Updated Sep 16, 2024

CVE-2018-0873

CVE-2018-0873

Description

Memory corruption in Chakra scripting engine in Microsoft Edge and ChakraCore allows remote code execution via crafted web content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory corruption in Chakra scripting engine in Microsoft Edge and ChakraCore allows remote code execution via crafted web content.

Vulnerability

The vulnerability is a memory corruption issue in the Chakra scripting engine used by Microsoft Edge and ChakraCore. Affected versions include ChakraCore and Microsoft Edge on Windows 10 1511, 1607, 1703, 1709, and Windows Server 2016. The bug occurs when the engine improperly handles objects in memory [1][2].

Exploitation

An attacker can exploit this by hosting a specially crafted website that, when visited by a victim using a vulnerable browser, triggers the memory corruption. No authentication is required, and the attacker must convince the user to visit the malicious site (e.g., via phishing or embedded content) [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has administrative rights, the attacker can gain full control of the system, install programs, view/change/delete data, or create new accounts [1][3].

Mitigation

Microsoft released security updates on March 13, 2018, as part of their monthly Patch Tuesday. Users should apply the update for their affected Windows version. For ChakraCore, the fix is included in version 1.8.3 or later. No workarounds are mentioned. The vulnerability is not listed in CISA's KEV [1][4].

References
  1. NVD - CVE-2018-0873
  2. Microsoft ChakraCore Scripting Engine CVE-2018-0873 Remote Memory Corruption Vulnerability
  3. Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information
  4. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.8.21.8.2

Affected products

2
  • ghsa-coords
    pkg:nuget/microsoft.chakracore
    Range: < 1.8.2
  • Microsoft Corporation/ChakraCore, Microsoft Edgev5
    Range: ChakraCore, Microsoft Windows 10 1511, 1607, 1703, 1709, and Windows Server 2016.

Patches

1
024353a0019d

[CVE-2018-0873] Scripting Engine Out-Of-Bounds Read Information Disclosure - Individual

https://github.com/chakra-core/ChakraCoreAkrosh GandhiFeb 6, 2018via ghsa
commit
1 file changed · +3 9
  • lib/Parser/Parse.cpp+3 9 modified
    @@ -7656,7 +7656,7 @@ LPCOLESTR Parser::ConstructFinalHintNode(IdentPtr pClassName, IdentPtr pMemberNa
     }
 
     LPCOLESTR pFinalName = isComputedName? pMemberNameHint : pMemberName->Psz();
-    uint32 fullNameHintLength = 0;
+    uint32 fullNameHintLength = (uint32)wcslen(pFinalName);
     uint32 shortNameOffset = 0;
     if (!isStatic)
     {
@@ -7686,15 +7686,9 @@ LPCOLESTR Parser::ConstructFinalHintNode(IdentPtr pClassName, IdentPtr pMemberNa
         }
 
     }
-    if (fullNameHintLength > *nameLength)
-    {
-        *nameLength = fullNameHintLength;
-    }
 
-    if (shortNameOffset > *pShortNameOffset)
-    {
-        *pShortNameOffset = shortNameOffset;
-    }
+    *nameLength = fullNameHintLength;
+    *pShortNameOffset = shortNameOffset;
 
     return pFinalName;
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.