CVE-2018-0933
Description
A memory corruption vulnerability in the Chakra scripting engine allows remote code execution via specially crafted content in Microsoft Edge or ChakraCore.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in the Chakra scripting engine allows remote code execution via specially crafted content in Microsoft Edge or ChakraCore.
Vulnerability
CVE-2018-0933 is a memory corruption vulnerability in the Chakra scripting engine, present in ChakraCore and in Microsoft Edge on Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 [1][2]. The flaw exists when the engine improperly handles objects in memory during script execution, enabling an attacker to corrupt memory in a way that leads to code execution [2][3].
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website (or by leveraging a compromised website that accepts user content) and convincing a user to visit it, typically via email or instant message lure [2][3]. The attacker must craft malicious JavaScript/HTML that triggers the object memory handling error in the Chakra engine when rendered by Microsoft Edge or an application embedding ChakraCore [2][3]. No additional privileges or user interaction beyond browsing to the malicious page are required [2].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user [1][3]. Depending on the user's privileges, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights [2]. The compromise is limited to the security context of the logged-on user, but if the user has administrative rights the attacker can gain complete control of the system [2][3].
Mitigation
Microsoft released security updates for the affected Windows platforms and ChakraCore as part of the March 2018 Patch Tuesday [1][3]. All users should apply the latest cumulative update for Windows 10 or Windows Server 2016 to protect against this vulnerability [1][3]. ChakraCore users should update to version 1.8.1 or later [4]. No workarounds are available; the only mitigation is to install the vendor-provided patches [3].
- NVD - CVE-2018-0933
- Microsoft ChakraCore Scripting Engine CVE-2018-0933 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.2 | 1.8.2 |
Affected products
2- Microsoft Corporation/ChakraCore, Microsoft Edgev5Range: ChakraCore, Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016.
Patches
16d5532d86720[CVE-2018-0933] Chakra: JIT - Incomplete Fix for MSRC-41913 - Google, Inc.
1 file changed · +4 −1
lib/Runtime/Library/JavascriptArray.cpp+4 −1 modified@@ -11700,8 +11700,11 @@ namespace Js } const size_t inlineSlotsSize = instance->GetTypeHandler()->GetInlineSlotsSize(); - if (ThreadContext::IsOnStack(instance->head)) + if (ThreadContext::IsOnStack(instance->head) || deepCopy) { + // Reallocate both the object as well as the head segment when the head is on the stack or + // when a deep copy is needed. This is to prevent a scenario where box may leave either one + // on the stack when both must be on the heap. boxedInstance = RecyclerNewPlusZ(instance->GetRecycler(), inlineSlotsSize + sizeof(Js::SparseArraySegmentBase) + instance->head->size * sizeof(typename T::TElement), T, instance, true, deepCopy);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- www.exploit-db.com/exploits/44396/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-3j65-2jcq-w9frghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0933ghsaADVISORY
- www.securityfocus.com/bid/103274mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040507mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/6d5532d867202bc2e1b8b6b8c6f9c1c44a0f5ab8ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0933ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20201021051922/http://www.securitytracker.com/id/1040507ghsaWEB
- web.archive.org/web/20210124144714/http://www.securityfocus.com/bid/103274ghsaWEB
- www.exploit-db.com/exploits/44396ghsaWEB
News mentions
0No linked articles in our index yet.