CVE-2018-0930
Description
Memory corruption in ChakraCore allows remote code execution via crafted web content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory corruption in ChakraCore allows remote code execution via crafted web content.
Vulnerability
CVE-2018-0930 is a memory corruption vulnerability in the Chakra scripting engine used by ChakraCore and Microsoft Edge in Microsoft Windows 10 version 1709 [1][2]. The bug resides in the Parser::ParseStringTemplateDecl function and is triggered during the parsing of template strings when destructuring patterns are present [4]. The fix ensures that hasDestructuring is properly set in the created node. Affected versions include all releases of ChakraCore up to and including the 1.11 series [3], and Edge on Windows 10 1709 [2].
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website (or injecting content into a website) that, when visited in Microsoft Edge, triggers the vulnerable code path in ChakraCore [1][2]. No authentication is required, and the user only needs to view the malicious content in the browser. The provided patch suggests that a specific sequence of JavaScript involving template strings and destructuring can cause invalid stack restoration [4].
Impact
Successful exploitation leads to remote code execution in the context of the current user [1]. If the user has elevated privileges, the attacker could gain significant control over the system, potentially installing programs, viewing or altering data, or creating new accounts. The vulnerability is classified as memory corruption, allowing arbitrary code execution [1][2].
Mitigation
Microsoft released security updates on March 13, 2018 to address this vulnerability [1][2]. Users should apply the latest updates from Microsoft Update. ChakraCore 1.11 received a security patch via the mentioned commit [4]; versions beyond 1.11 are community-maintained. No workaround is available. The vulnerability is not listed in the KEV catalog as of the publication date.
- NVD - CVE-2018-0930
- Microsoft ChakraCore Scripting Engine CVE-2018-0930 Remote Memory Corruption Vulnerability
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
- [CVE-2018-0930] Invalid stack restore when destructuring is used as a… · chakra-core/ChakraCore@2021bcb
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.2 | 1.8.2 |
Affected products
2- Microsoft Corporation/ChakraCore, Microsoft Edgev5Range: ChakraCore and Microsoft Windows 10 1709
Patches
12021bcb12260[CVE-2018-0930] Invalid stack restore when destructuring is used as a call param under Eval - Individual
1 file changed · +11 −1
lib/Parser/Parse.cpp+11 −1 modified@@ -4030,7 +4030,16 @@ ParseNodePtr Parser::ParsePostfixOperators( case tkStrTmplBasic: case tkStrTmplBegin: { - ParseNode* templateNode = ParseStringTemplateDecl<buildAST>(pnode); + ParseNode* templateNode = nullptr; + if (pnode != nullptr) + { + AutoMarkInParsingArgs autoMarkInParsingArgs(this); + templateNode = ParseStringTemplateDecl<buildAST>(pnode); + } + else + { + templateNode = ParseStringTemplateDecl<buildAST>(pnode); + } if (!buildAST) { @@ -8285,6 +8294,7 @@ ParseNodePtr Parser::ParseStringTemplateDecl(ParseNodePtr pnodeTagFnc) // We need to set the arg count explicitly pnodeStringTemplate->sxCall.argCount = stringConstantCount; + pnodeStringTemplate->sxCall.hasDestructuring = m_hasDestructuringPattern; } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-wc4x-9h9p-9494ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0930ghsaADVISORY
- www.securityfocus.com/bid/103272mitrevdb-entryx_refsource_BID
- github.com/chakra-core/ChakraCore/commit/2021bcb122607abef578ef444419e4ba0a9777beghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0930ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124144710/http://www.securityfocus.com/bid/103272ghsaWEB
News mentions
0No linked articles in our index yet.