VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 14, 2018· Updated Sep 16, 2024

CVE-2018-0939

CVE-2018-0939

Description

ChakraCore and Microsoft Edge in Windows 10 1703/1709 improperly handle objects in memory, allowing remote attackers to disclose sensitive information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ChakraCore and Microsoft Edge in Windows 10 1703/1709 improperly handle objects in memory, allowing remote attackers to disclose sensitive information.

Vulnerability

An information disclosure vulnerability exists in how the Chakra scripting engine handles objects in memory in Microsoft Edge and ChakraCore. The flaw is present in Windows 10 version 1703 and 1709, as well as in ChakraCore versions used in those builds [1][2]. The vulnerability is triggered by specially crafted web content that causes the scripting engine to mishandle objects in memory, leading to the potential disclosure of sensitive information [3].

Exploitation

An attacker would need to host a specially crafted website (or leverage a compromised site that accepts user-generated content) and convince a user to visit it, typically via a social engineering attack such as a link in an email or instant message. No special authentication or network position is required; the attack is remote and requires user interaction to load the malicious content [2][3].

Impact

Successful exploitation allows an attacker to obtain potentially sensitive information from the target system's memory. The vulnerability does not directly allow code execution, but enables information disclosure that could be chained with other vulnerabilities for further compromise [3]. The victim's system does not need to be running in an elevated privilege context; the disclosure occurs at the user's privilege level.

Mitigation

Microsoft released security updates on March 13, 2018, as part of the Monthly Rollup, to address this vulnerability in Windows 10 1703 and 1709, and in the ChakraCore component [2][3]. Users should apply the March 2018 security patches. No workarounds are documented. ChakraCore version 1.11 received security updates until March 9, 2021, after which support ended [4]. This CVE is not listed in the CISA Known Exploited Vulnerabilities Catalog.

References
  1. NVD - CVE-2018-0939
  2. Microsoft ChakraCore Scripting Engine CVE-2018-0939 Information Disclosure Vulnerability
  3. Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information
  4. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.8.21.8.2

Affected products

2

Patches

1
090277e7a5ea

[CVE-2018-0939] Edge - chakra arguments bug version 2.0 - Individual

https://github.com/chakra-core/ChakraCoreSandeep AgarwalFeb 7, 2018via ghsa
commit
1 file changed · +4 0
  • lib/Parser/Parse.cpp+4 0 modified
    @@ -12904,6 +12904,10 @@ ParseNodePtr Parser::GetRightSideNodeFromPattern(ParseNodePtr pnode)
         {
             TrackAssignment<true>(pnode, nullptr);
         }
+        else if (op == knopAsg)
+        {
+            TrackAssignment<true>(pnode->sxBin.pnode1, nullptr);
+        }
     }
 
     return rightNode;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.