CVE-2018-0954
Description
A memory corruption vulnerability in the scripting engine of Microsoft browsers (Internet Explorer 9-11, Edge, ChakraCore) could allow remote code execution when a user visits a malicious webpage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in the scripting engine of Microsoft browsers (Internet Explorer 9-11, Edge, ChakraCore) could allow remote code execution when a user visits a malicious webpage.
Vulnerability
A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers [1][2]. This is a memory corruption issue in the Chakra scripting engine used by Internet Explorer 9, 10, 11, Microsoft Edge, and the standalone ChakraCore [2][4]. The affected versions include all platforms where these browsers are supported [1]. The vulnerability is distinct from several other similar scripting engine CVEs disclosed at the same time [2].
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website (or leveraging a compromised site that accepts or hosts user-provided content) and convincing a user to visit that website [1][3]. No authentication is required; the user must simply browse to the malicious page. The crafted content triggers an object memory handling error in the scripting engine [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current user [1][3]. If the user is logged on with administrative user rights, the attacker could take complete control of the affected system, including installing programs, viewing/changing/deleting data, or creating new accounts with full user rights [2]. The impact is remote code execution (RCE) with the same privileges as the browser user.
Mitigation
Microsoft released security updates as part of the May 2018 Patch Tuesday (May 8, 2018) to address this vulnerability [1][3]. Users should apply the latest updates via Windows Update or by directly downloading the security patches from Microsoft. For ChakraCore, updates are available through the project's GitHub repository [4]. No workarounds are documented; applying the update is the recommended mitigation. This CVE is not listed under CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
- Microsoft Internet Explorer and Edge Scripting Engine Remote Memory Corruption Vulnerability
- NVD - CVE-2018-0954
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.4 | 1.8.4 |
Affected products
6- Range: ChakraCore
Windows Server 2012+ 2 more
- (no CPE)range: Windows Server 2012
- (no CPE)range: Windows 10 for 32-bit Systems
- (no CPE)range: Windows Server 2008 for 32-bit Systems Service Pack 2
Patches
151c46371c917[CVE-2018-0954] Report a stack variable uaf bug to Edge Bug Bounty - 360Vulcan - Edge RCE+Web Plat beta bounty on WIP
1 file changed · +6 −11
lib/Backend/BackwardPass.cpp+6 −11 modified@@ -4232,6 +4232,11 @@ BackwardPass::ProcessStackSymUse(StackSym * stackSym, BOOLEAN isNonByteCodeUse) return true; } + if (this->DoMarkTempNumbers()) + { + Assert((block->loop != nullptr) == block->tempNumberTracker->HasTempTransferDependencies()); + block->tempNumberTracker->ProcessUse(stackSym, this); + } if (this->DoMarkTempObjects()) { Assert((block->loop != nullptr) == block->tempObjectTracker->HasTempTransferDependencies()); @@ -4294,17 +4299,7 @@ BackwardPass::ProcessSymUse(Sym * sym, bool isRegOpndUse, BOOLEAN isNonByteCodeU } } - StackSym * stackSym = sym->AsStackSym(); - bool isUsed = ProcessStackSymUse(stackSym, isNonByteCodeUse); - - if (!IsCollectionPass() && isRegOpndUse && this->DoMarkTempNumbers()) - { - // Collect mark temp number information - Assert((block->loop != nullptr) == block->tempNumberTracker->HasTempTransferDependencies()); - block->tempNumberTracker->ProcessUse(stackSym, this); - } - - return isUsed; + return ProcessStackSymUse(sym->AsStackSym(), isNonByteCodeUse); } bool
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-h5hw-qrrw-vfxgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0954ghsaADVISORY
- www.securityfocus.com/bid/103991mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040844mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/51c46371c917e87bbde77d66abba088309d96a3fghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0954ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124164423/http://www.securityfocus.com/bid/103991ghsaWEB
- web.archive.org/web/20211204185256/http://www.securitytracker.com/id/1040844ghsaWEB
News mentions
0No linked articles in our index yet.