CVE-2018-0937
Description
ChakraCore and Microsoft Edge on Windows 10 1703/1709 contain a memory corruption vulnerability in the Chakra scripting engine that allows remote code execution when a user visits a crafted webpage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ChakraCore and Microsoft Edge on Windows 10 1703/1709 contain a memory corruption vulnerability in the Chakra scripting engine that allows remote code execution when a user visits a crafted webpage.
Vulnerability
CVE-2018-0937 is a memory corruption vulnerability in the Chakra scripting engine used by ChakraCore and Microsoft Edge on Windows 10 version 1703 and 1709. The bug occurs when the engine improperly handles objects in memory, leading to exploitable corruption. Affected software includes all versions of ChakraCore and Microsoft Edge running on the listed Windows 10 builds. [1][2]
Exploitation
An attacker must craft a malicious webpage that, when visited by a victim using an affected browser, triggers the memory handling error. No additional authentication or local access is required; the attack is fully remote. The victim only needs to load the content (e.g., via a link or hosted page) to trigger the corruption [2][3].
Impact
Successful exploitation grants the attacker the ability to execute arbitrary code within the context of the current user. This can lead to full system compromise, including installation of programs, modification of data, or creation of accounts with full user rights. The vulnerability also potentially enables disclosure of sensitive information [3].
Mitigation
Microsoft released security updates on March 13, 2018 (Patch Tuesday) to address this vulnerability. Users should apply the latest Windows 10 cumulative updates and update ChakraCore to a patched version. No workarounds are documented. ChakraCore 1.11 continues to receive security updates until March 9, 2021 [4]; users on later builds should use the latest available fixed version.
- NVD - CVE-2018-0937
- Microsoft ChakraCore Scripting Engine CVE-2018-0937 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.2 | 1.8.2 |
Affected products
2- Microsoft Corporation/ChakraCore, Microsoft Edgev5Range: ChakraCore, and Microsoft Windows 10 1703 and 1709.
Patches
1069c3fb1e597[CVE-2018-0937] Edge - Use after free of LdFld instruction in prePassInstrMap - Google, Inc
1 file changed · +5 −2
lib/Backend/GlobOpt.cpp+5 −2 modified@@ -2481,8 +2481,11 @@ GlobOpt::OptInstr(IR::Instr *&instr, bool* isInstrRemoved) CurrentBlockData()->KillStateForGeneratorYield(); } - // Change LdFld on arrays, strings, and 'arguments' to LdLen when we're accessing the .length field - this->TryReplaceLdLen(instr); + if (!IsLoopPrePass()) + { + // Change LdFld on arrays, strings, and 'arguments' to LdLen when we're accessing the .length field + this->TryReplaceLdLen(instr); + } // Consider: Do we ever get post-op bailout here, and if so is the FillBailOutInfo call in the right place? if (instr->HasBailOutInfo() && !this->IsLoopPrePass())
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-6c2v-xc8f-fvf7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0937ghsaADVISORY
- www.securityfocus.com/bid/103271mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040507mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/069c3fb1e597f3eaea32092599de4a72bbecc365ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0937ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124144708/http://www.securityfocus.com/bid/103271ghsaWEB
- web.archive.org/web/20211026192005/http://www.securitytracker.com/id/1040507ghsaWEB
News mentions
0No linked articles in our index yet.