CVE-2018-0943
Description
Chakra scripting engine in Microsoft Edge and ChakraCore mishandles objects in memory, allowing remote code execution via a crafted website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chakra scripting engine in Microsoft Edge and ChakraCore mishandles objects in memory, allowing remote code execution via a crafted website.
Vulnerability
A remote code execution vulnerability exists in the way the Chakra scripting engine handles objects in memory in Microsoft Edge and ChakraCore. This is a memory corruption issue that occurs when the engine improperly processes objects in memory, leading to exploitable conditions. The vulnerability affects all versions of Microsoft Edge that use the Chakra engine and ChakraCore versions prior to the security update released on May 8, 2018. [1][2][3]
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website that, when visited by a target user running a vulnerable version of Microsoft Edge or ChakraCore, triggers the memory corruption in the Chakra scripting engine. The attacker would need to convince the user to visit the malicious site, typically through social engineering or by injecting the content into a compromised legitimate site. No additional authentication or privileges are required beyond normal browsing. The user interaction is limited to visiting the page. [2][3]
Impact
Successful exploitation results in remote code execution in the context of the current user. An attacker who successfully exploits this vulnerability can gain the same user rights as the current user, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights. If the current user has administrative privileges, the attacker could take complete control of the affected system. [1][2]
Mitigation
Microsoft released a security update on May 8, 2018 to address this vulnerability in Microsoft Edge. The update is part of the monthly Patch Tuesday release and was made available through Windows Update, Windows Server Update Services, and the Microsoft Update Catalog. Users should apply the latest updates for their Windows and Edge installations. For ChakraCore, users should update to version 1.11.1 or later. Microsoft also indicates that no workaround exists beyond applying the vendor-provided fix. [1][3][4]
- NVD - CVE-2018-0943
- Microsoft ChakraCore Scripting Engine CVE-2018-0943 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.4 | 1.8.4 |
Affected products
3- Range: ChakraCore
Patches
132ee5de20ce5[CVE-2018-0943]: Chakra Bug 15964039 - Unrestored bytecode register after bailout
1 file changed · +2 −2
lib/Backend/Inline.cpp+2 −2 modified@@ -2089,11 +2089,11 @@ Inline::InlineBuiltInFunction(IR::Instr *callInstr, const FunctionJITTimeInfo * callInstr->m_opcode = inlineCallOpCode; SetupInlineInstrForCallDirect(builtInFunctionId, callInstr, argoutInstr); + WrapArgsOutWithCoerse(builtInFunctionId, callInstr); + // Generate ByteCodeArgOutCaptures and move the ArgOut_A/ArgOut_A_Inline close to the call instruction callInstr->MoveArgs(/*generateByteCodeCapture*/ true); - WrapArgsOutWithCoerse(builtInFunctionId, callInstr); - inlineBuiltInEndInstr = callInstr; } else
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-7724-427r-8rvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0943ghsaADVISORY
- www.securityfocus.com/bid/103980mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040844mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/32ee5de20ce5b5c9332044039fea07616d76469dghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0943ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210419155416/https://www.securityfocus.com/bid/103980ghsaWEB
- web.archive.org/web/20211204185256/https://www.securitytracker.com/id/1040844ghsaWEB
News mentions
0No linked articles in our index yet.