CVE-2018-0994
Description
A remote code execution vulnerability in Microsoft Edge's Chakra scripting engine due to memory corruption when handling objects in memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in Microsoft Edge's Chakra scripting engine due to memory corruption when handling objects in memory.
Vulnerability
A remote code execution vulnerability exists in the Chakra scripting engine used in Microsoft Edge and ChakraCore due to improper handling of objects in memory, leading to memory corruption [1]. Affected versions include all Microsoft Edge releases on Windows 10 (32-bit, x64, ARM) and Windows Server 2016 prior to the security update on April 10, 2018 [2]. ChakraCore versions before 1.11 are also vulnerable.
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website (or leveraging a compromised site that accepts user content) and convincing a user to view it in Microsoft Edge [4]. No authentication or user interaction beyond visiting the page is required. The crafted content triggers the memory corruption in the Chakra engine [2].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has administrative privileges, the attacker can take control of the system, install programs, view/change/delete data, or create new accounts with full user rights [1].
Mitigation
Microsoft released a security update on April 10, 2018 (Patch Tuesday) that addresses this vulnerability; users should apply the update via Windows Update or obtain the standalone update from the Microsoft Security Response Center [4]. ChakraCore users should upgrade to version 1.11 or later [3]. No workaround is available other than applying the patch.
- NVD - CVE-2018-0994
- Microsoft ChakraCore Scripting Engine CVE-2018-0994 Remote Memory Corruption Vulnerability
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
- Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.8.3 | 1.8.3 |
Affected products
3- Range: ChakraCore
Patches
10578ca55215d[CVE-2018-0994] Edge - Submit a use after free bug to Edge - 360Vulcan
2 files changed · +11 −2
lib/Runtime/Library/JavascriptArray.cpp+9 −0 modified@@ -2090,6 +2090,13 @@ namespace Js // Code below has potential to throw due to OOM or SO. Just FailFast on those cases AutoDisableInterrupt failFastError(scriptContext->GetThreadContext()); +#if defined(TARGET_32) + if (fArray->head && (fArray->head->size >= SparseArraySegmentBase::INLINE_CHUNK_SIZE / shrinkFactor)) + { + CopyHeadIfInlinedHeadSegment<double>(fArray, recycler); + } +#endif + for (seg = fArray->head; seg; seg = nextSeg) { nextSeg = seg->next; @@ -5320,6 +5327,8 @@ namespace Js AnalysisAssert(array->head); SparseArraySegment<T>* newHeadSeg = array->ReallocNonLeafSegment((SparseArraySegment<T>*)PointerValue(array->head), array->head->next); array->head = newHeadSeg; + array->InvalidateLastUsedSegment(); + array->ClearSegmentMap(); } }
lib/Runtime/Library/JavascriptArray.h+2 −2 modified@@ -549,6 +549,8 @@ namespace Js void SetHeadAndLastUsedSegment(SparseArraySegmentBase * segment); void SetLastUsedSegment(SparseArraySegmentBase * segment); bool HasSegmentMap() const; + template<typename T> + static void CopyHeadIfInlinedHeadSegment(JavascriptArray *array, Recycler *recycler); private: void SetSegmentMap(SegmentBTreeRoot * segmentMap); @@ -584,8 +586,6 @@ namespace Js virtual int32 HeadSegmentIndexOfHelper(Var search, uint32 &fromIndex, uint32 toIndex, bool includesAlgorithm, ScriptContext * scriptContext); - template<typename T> - static void CopyHeadIfInlinedHeadSegment(JavascriptArray *array, Recycler *recycler); template<typename T> static void ReallocateNonLeafLastSegmentIfLeaf(JavascriptArray * arr, Recycler * recycler);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-g549-jfg6-98chghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0994ghsaADVISORY
- www.securityfocus.com/bid/103630mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040650mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/0578ca55215d2eda74280e17c4b9bcc3c38dfd6aghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0994ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124154718/http://www.securityfocus.com/bid/103630ghsaWEB
- web.archive.org/web/20211207123630/http://www.securitytracker.com/id/1040650ghsaWEB
News mentions
0No linked articles in our index yet.