VYPR
← All advisories
High severityNVD Advisory· Published Apr 12, 2018· Updated Aug 5, 2024

CVE-2018-0980

CVE-2018-0980

Description

Chakra scripting engine memory corruption in Edge and ChakraCore allows remote code execution via crafted webpage.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Chakra scripting engine memory corruption in Edge and ChakraCore allows remote code execution via crafted webpage.

Vulnerability

The vulnerability is a memory corruption in the Chakra scripting engine, specifically in the JIT compiler's array bounds check elimination. The bug occurs when the GlobOpt::OptArraySrc function hoists InvariantBlockBackwardIterator without properly following control flow, leading to an out-of-bounds access. This affects Microsoft Edge on Windows 10 and ChakraCore versions prior to the fix committed in April 2018 [1][2][3].

Exploitation

An attacker can host a specially crafted website containing malicious JavaScript that triggers the vulnerability when a user visits the site in Microsoft Edge. No authentication or user interaction beyond visiting the page is required. The attacker does not need any special network position; the attack can be carried out remotely via the web [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. The attacker could install programs, view, change, or delete data, or create new accounts with full user rights. The compromise is at the user privilege level, potentially leading to full system control if the user is an administrator [1].

Mitigation

Microsoft released a security update as part of the April 2018 Patch Tuesday (MSRC) to address this vulnerability. For ChakraCore, the fix is implemented in commit af07d28 [3]. Users should update to the latest version of Microsoft Edge or ChakraCore (version 1.8.0 or later) to mitigate the issue. No workarounds are available; the only mitigation is applying the update [4].

References
  1. NVD - CVE-2018-0980
  2. Microsoft ChakraCore Scripting Engine CVE-2018-0980 Remote Memory Corruption Vulnerability
  3. [CVE-2018-0980] Chakra JIT - A bound check elimination bug - Google, … · chakra-core/ChakraCore@af07d28
  4. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.8.31.8.3

Affected products

3

Patches

1
af07d28d4868

[CVE-2018-0980] Chakra JIT - A bound check elimination bug - Google, Inc.

https://github.com/chakra-core/ChakraCoreMichael HolmanMar 9, 2018via ghsa
commit
2 files changed · +39 5
  • lib/Backend/GlobOpt.cpp+35 4 modified
    @@ -14402,7 +14402,8 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
                                 currentBlock->next,
                                 hoistBlock,
                                 hoistInfo.IndexSym(),
-                                hoistInfo.IndexValueNumber());
+                                hoistInfo.IndexValueNumber(),
+                                true);
                             it.IsValid();
                             it.MoveNext())
                         {
@@ -14670,7 +14671,7 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
                     Assert(!hoistInfo.Loop() || hoistBlock != currentBlock);
                     if(hoistBlock != currentBlock)
                     {
-                        for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr);
+                        for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr, InvalidValueNumber, true);
                             it.IsValid();
                             it.MoveNext())
                         {
@@ -17116,12 +17117,15 @@ InvariantBlockBackwardIterator::InvariantBlockBackwardIterator(
     BasicBlock *const exclusiveBeginBlock,
     BasicBlock *const inclusiveEndBlock,
     StackSym *const invariantSym,
-    const ValueNumber invariantSymValueNumber)
+    const ValueNumber invariantSymValueNumber,
+    bool followFlow)
     : globOpt(globOpt),
     exclusiveEndBlock(inclusiveEndBlock->prev),
     invariantSym(invariantSym),
     invariantSymValueNumber(invariantSymValueNumber),
-    block(exclusiveBeginBlock)
+    block(exclusiveBeginBlock),
+    blockBV(globOpt->tempAlloc),
+    followFlow(followFlow)
 #if DBG
     ,
     inclusiveEndBlock(inclusiveEndBlock)
@@ -17159,6 +17163,11 @@ InvariantBlockBackwardIterator::MoveNext()
             break;
         }
 
+        if (!this->UpdatePredBlockBV())
+        {
+            continue;
+        }
+
         if(block->isDeleted)
         {
             continue;
@@ -17186,6 +17195,28 @@ InvariantBlockBackwardIterator::MoveNext()
     }
 }
 
+bool
+InvariantBlockBackwardIterator::UpdatePredBlockBV()
+{
+    if (!this->followFlow)
+    {
+        return true;
+    }
+
+    // Track blocks we've visited to ensure that we only iterate over predecessor blocks
+    if (!this->blockBV.IsEmpty() && !this->blockBV.Test(this->block->GetBlockNum()))
+    {
+        return false;
+    }
+
+    FOREACH_SLISTBASECOUNTED_ENTRY(FlowEdge*, edge, this->block->GetPredList())
+    {
+        this->blockBV.Set(edge->GetPred()->GetBlockNum());
+    } NEXT_SLISTBASECOUNTED_ENTRY;
+
+    return true;
+}
+
 BasicBlock *
 InvariantBlockBackwardIterator::Block() const
 {
  • lib/Backend/GlobOpt.h+4 1 modified
    @@ -364,13 +364,16 @@ class InvariantBlockBackwardIterator
     const ValueNumber invariantSymValueNumber;
     BasicBlock *block;
     Value *invariantSymValue;
+    BVSparse<JitArenaAllocator> blockBV;
+    bool followFlow;
 
 #if DBG
     BasicBlock *const inclusiveEndBlock;
 #endif
 
+    bool UpdatePredBlockBV();
 public:
-    InvariantBlockBackwardIterator(GlobOpt *const globOpt, BasicBlock *const exclusiveBeginBlock, BasicBlock *const inclusiveEndBlock, StackSym *const invariantSym, const ValueNumber invariantSymValueNumber = InvalidValueNumber);
+    InvariantBlockBackwardIterator(GlobOpt *const globOpt, BasicBlock *const exclusiveBeginBlock, BasicBlock *const inclusiveEndBlock, StackSym *const invariantSym, const ValueNumber invariantSymValueNumber = InvalidValueNumber, bool followFlow = false);
 
 public:
     bool IsValid() const;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.