VYPR
← All advisories
High severityNVD Advisory· Published May 9, 2018· Updated Aug 5, 2024

CVE-2018-1022

CVE-2018-1022

Description

A memory corruption vulnerability in the Chakra scripting engine of Microsoft browsers allows remote code execution via a crafted website.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in the Chakra scripting engine of Microsoft browsers allows remote code execution via a crafted website.

Vulnerability

A remote code execution vulnerability exists in the way the Chakra scripting engine handles objects in memory in Microsoft browsers [1][2]. This affects ChakraCore, Internet Explorer 11, and Microsoft Edge [2]. The vulnerability is classified as a memory corruption issue (CWE-703: Failure to Handle Exceptional Conditions) [1]. Affected versions include Internet Explorer 11 on all supported Windows platforms and Microsoft Edge on Windows 10 [1]. This CVE ID is unique from CVE-2018-0945, CVE-2018-0946, CVE-2018-0951, CVE-2018-0953, CVE-2018-0954, CVE-2018-0955, CVE-2018-8114, CVE-2018-8122, CVE-2018-8128, CVE-2018-8137, and CVE-2018-8139 [2].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website designed to trigger the memory corruption in the Chakra scripting engine [3]. The attacker would then need to convince a user to view the website, typically through social engineering or by embedding the content in a link [3]. Successful exploitation requires the user to have a browser that uses the vulnerable scripting engine, such as Internet Explorer 11 or Microsoft Edge [1][2]. No authentication or other special privileges are needed for the attacker beyond hosting the malicious content [1].

Impact

If successfully exploited, this vulnerability allows an attacker to execute arbitrary code in the context of the current user [3]. The attacker could then install programs, view, change, or delete data, or create new accounts with full user rights [2][3]. The impact is at the user privilege level, meaning if the user has administrative rights, the attacker could gain complete control of the affected system [2]. The vulnerability can be triggered remotely without authentication but requires user interaction to visit a malicious webpage [1].

Mitigation

Microsoft released security updates to address this vulnerability as part of the May 2018 Patch Tuesday updates [1][3]. Users should apply the latest updates for Internet Explorer 11 and Microsoft Edge via Windows Update or by downloading the appropriate patches from the Microsoft Security Response Center [3]. ChakraCore users should update to a version that includes the fix; the ChakraCore project planned to continue security updates for version 1.11 until March 2021 [4]. No workarounds were provided by Microsoft beyond applying the patches [1][3]. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of this writing.

References
  1. Microsoft Internet Explorer and Edge CVE-2018-1022 Remote Memory Corruption Vulnerability
  2. NVD - CVE-2018-1022
  3. Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
  4. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.8.41.8.4

Affected products

4

Patches

1
28928cba2496

[CVE-2018-1022] Inline segment is passed to another array - Internal

https://github.com/chakra-core/ChakraCoreAkrosh GandhiMay 1, 2018via ghsa
commit
1 file changed · +11 2
  • lib/Runtime/Library/JavascriptArray.inl+11 2 modified
    @@ -155,6 +155,7 @@ namespace Js
             DetermineInlineHeadSegmentPointer<T, InlinePropertySlots, false>(array);
         if(wasZeroAllocated)
         {
+            AssertOrFailFast(size <= SparseArraySegmentBase::INLINE_CHUNK_SIZE);
             if(length != 0)
             {
                 head->length = length;
@@ -238,6 +239,14 @@ namespace Js
                 DetermineAllocationSize<className, inlineSlots>(length, &allocationPlusSize, &alignedInlineElementSlots);
             }
 
+            // alignedInlineElementSlots is actually the 'size' of the segment. The size of the segment should not be greater than InlineHead segment limit, otherwise the inline
+            // segment may not be interpreted as inline segment if the length extends to the size.
+            // the size could increase because of allignment.
+            // Update the size so that it does not exceed SparseArraySegmentBase::INLINE_CHUNK_SIZE.
+
+            uint inlineChunkSize = SparseArraySegmentBase::INLINE_CHUNK_SIZE;
+            uint size = min(alignedInlineElementSlots, inlineChunkSize);
+
             array = RecyclerNewPlusZ(recycler, allocationPlusSize, className, length, arrayType);
 
             // An new array's head segment length is initialized to zero despite the array length being nonzero because the segment
@@ -250,9 +259,9 @@ namespace Js
             // a variable until it is fully initialized, there is no way for script code to use the array while it still has missing
             // values.
             SparseArraySegment<unitType> *head =
-                InitArrayAndHeadSegment<className, inlineSlots>(array, length, alignedInlineElementSlots, true);
+                InitArrayAndHeadSegment<className, inlineSlots>(array, length, size, true);
 
-            head->FillSegmentBuffer(length, alignedInlineElementSlots);
+            head->FillSegmentBuffer(length, size);
 
             Assert(array->HasNoMissingValues());
             return array;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.