CVE-2018-0874
Description
ChakraCore and Microsoft Edge in Windows 10 (Gold, 1511, 1607, 1703, 1709) and Windows Server 2016 allow remote code execution due to a memory corruption vulnerability in the Chakra scripting engine.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ChakraCore and Microsoft Edge in Windows 10 (Gold, 1511, 1607, 1703, 1709) and Windows Server 2016 allow remote code execution due to a memory corruption vulnerability in the Chakra scripting engine.
Vulnerability
The vulnerability is a memory corruption issue in the Chakra scripting engine, affecting ChakraCore and Microsoft Edge. It occurs when the engine improperly handles objects in memory. Affected versions include Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 [1]. The bug is triggered when a user visits a specially crafted website or opens malicious content that exploits the error in object handling [2][3].
Exploitation
An attacker can exploit this vulnerability by hosting a malicious website or embedding crafted content in an email or other medium. The user must be using an affected version of Microsoft Edge or ChakraCore and interact with the content (e.g., visiting a website). No authentication is required. When the content is processed, the Chakra scripting engine mishandles memory, leading to a corrupt state that allows the attacker to execute arbitrary code [2][3].
Impact
Successful exploitation grants the attacker the same user rights as the current user. The attacker can then install programs, view, change, or delete data, or create new accounts with full user rights. This results in remote code execution, potentially full system compromise if the user is an administrator [1][3].
Mitigation
Microsoft released security updates as part of March 2018 Patch Tuesday, which address this vulnerability. Users should apply the latest updates for their Windows version and Edge browser. ChakraCore version 1.11 has extended security support until March 9, 2021, but later versions are not actively maintained by Microsoft [4]. No workarounds are disclosed; patching is the recommended course of action [1][3].
- NVD - CVE-2018-0874
- Microsoft ChakraCore Scripting Engine CVE-2018-0874 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.2 | 1.8.2 |
Affected products
2- Microsoft Corporation/ChakraCore, Microsoft Edgev5Range: ChakraCore, Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016.
Patches
17087c314a676[CVE-2018-0874] - Chakra Array Includes Uninitialized Memory RCE - Individual
1 file changed · +6 −0
lib/Runtime/Library/JavascriptArray.cpp+6 −0 modified@@ -4137,6 +4137,10 @@ namespace Js return i; } } + else if (SparseArraySegment<Var>::IsMissingItem(&element)) + { + AssertOrFailFast(false); + } else if (includesAlgorithm && JavascriptConversion::SameValueZero(element, search)) { //Array.prototype.includes @@ -6667,6 +6671,8 @@ namespace Js ClearSegmentMap(); // Dump the segmentMap again in case user compare function rebuilds it if (hasException) { + // The current array might have affected due to callbacks. As we have got the exception we should be resetting the missing value. + SetHasNoMissingValues(false); head = startSeg; this->InvalidateLastUsedSegment(); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-67f9-qmg7-fmcqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0874ghsaADVISORY
- www.securityfocus.com/bid/103269mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040507mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/7087c314a67631a0a3094bc2f741991ee10f5b5aghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0874ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20201021051922/http://www.securitytracker.com/id/1040507ghsaWEB
- web.archive.org/web/20210124144659/http://www.securityfocus.com/bid/103269ghsaWEB
News mentions
0No linked articles in our index yet.