High severityNVD Advisory· Published May 9, 2018· Updated Aug 5, 2024

CVE-2018-8137

Description

A memory corruption vulnerability in ChakraCore and Microsoft Edge allows remote code execution when a user visits a crafted web page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in ChakraCore and Microsoft Edge allows remote code execution when a user visits a crafted web page.

Vulnerability

CVE-2018-8137 is a remote code execution vulnerability in the way the Chakra scripting engine handles objects in memory. The bug affects Microsoft Edge and ChakraCore. Microsoft confirmed the vulnerability and listed it among other scripting engine memory corruption issues (see [1], [2], [3]). The vulnerable versions include all Microsoft Edge versions running on Windows 10 and earlier Windows versions as detailed in the SecurityFocus advisory [2]. ChakraCore versions prior to the fix are also affected.

Exploitation

An attacker must host a specially crafted web page that triggers the memory corruption when loaded in Microsoft Edge. The attacker would need to convince a user to visit the malicious page, typically via a link in an email or instant message, or by compromising a legitimate site. No additional authentication or privileges are required beyond normal browser access. The exploitation relies on the user opening the crafted content [1], [3].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has administrative rights, the attacker could gain full control of the system, install programs, view, change, or delete data, or create new accounts with full user rights. The impact is complete compromise of confidentiality, integrity, and availability [1], [2], [3].

Mitigation

Microsoft released a security update in May 2018 to address this vulnerability as part of the monthly Patch Tuesday. The fix is included in the cumulative update for Microsoft Edge and in the updated ChakraCore package. Users should apply the latest updates via Windows Update or the Microsoft Update Catalog [1], [3]. ChakraCore 1.11 received security updates until March 2021, and users of later community versions should consult the ChakraCore project for fixes [4].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.ChakraCoreNuGet	< 1.8.4	1.8.4

Affected products

ghsa-coords
pkg:nuget/microsoft.chakracore
Range: < 1.8.4
Microsoft/Chakracorecpe-rescue
Range: ChakraCore
Microsoft/Edgecpe-rescue
Range: Windows 10 for 32-bit Systems

Patches

6e362fe94bc4

[CVE-2018-8137] Edge - chakra JIT array out of bound read/write vulnerability lead to Remote Code Execution

https://github.com/chakra-core/ChakraCoreMatt GardnerApr 18, 2018via ghsa

commit

3 files changed · +29 −20

lib/Backend/GlobOpt.cpp+4 −20 modified

@@ -6482,6 +6482,8 @@ GlobOpt::OptConstPeep(IR::Instr *instr, IR::Opnd *constSrc, Value **pDstVal, Val
 
     instr->m_opcode = Js::OpCode::Ld_A;
 
+    InvalidateInductionVariables(instr);
+
     return true;
 }
 
@@ -7088,16 +7090,7 @@ GlobOpt::OptConstFoldUnary(
         }
     }
 
-    // If this is an induction variable, then treat it the way the prepass would have if it had seen
-    // the assignment and the resulting change to the value number, and mark it as indeterminate.
-    for (Loop * loop = this->currentBlock->loop; loop; loop = loop->parent)
-    {
-        InductionVariable *iv = nullptr;
-        if (loop->inductionVariables && loop->inductionVariables->TryGetReference(dstSym->m_id, &iv))
-        {
-            iv->SetChangeIsIndeterminate();
-        }
-    }
+    InvalidateInductionVariables(instr);
 
     return true;
 }
@@ -12422,16 +12415,7 @@ GlobOpt::OptConstFoldBinary(
         this->ToInt32Dst(instr, dst->AsRegOpnd(), this->currentBlock);
     }
 
-    // If this is an induction variable, then treat it the way the prepass would have if it had seen
-    // the assignment and the resulting change to the value number, and mark it as indeterminate.
-    for (Loop * loop = this->currentBlock->loop; loop; loop = loop->parent)
-    {
-        InductionVariable *iv = nullptr;
-        if (loop->inductionVariables && loop->inductionVariables->TryGetReference(dstSym->m_id, &iv))
-        {
-            iv->SetChangeIsIndeterminate();
-        }
-    }
+    InvalidateInductionVariables(instr);
 
     return true;
 }

lib/Backend/GlobOpt.h+1 −0 modified

@@ -685,6 +685,7 @@ class GlobOpt
     void                    DetectUnknownChangesToInductionVariables(GlobOptBlockData *const blockData);
     void                    SetInductionVariableValueNumbers(GlobOptBlockData *const blockData);
     void                    FinalizeInductionVariables(Loop *const loop, GlobOptBlockData *const headerData);
+    void                    InvalidateInductionVariables(IR::Instr * instr);
     enum class SymBoundType {OFFSET, VALUE, UNKNOWN};
     SymBoundType DetermineSymBoundOffsetOrValueRelativeToLandingPad(StackSym *const sym, const bool landingPadValueIsLowerBound, ValueInfo *const valueInfo, const IntBounds *const bounds, GlobOptBlockData *const landingPadGlobOptBlockData, int *const boundOffsetOrValueRef);

lib/Backend/GlobOptIntBounds.cpp+24 −0 modified

@@ -1262,6 +1262,30 @@ void GlobOpt::FinalizeInductionVariables(Loop *const loop, GlobOptBlockData *con
     }
 }
 
+void
+GlobOpt::InvalidateInductionVariables(IR::Instr * instr)
+{
+    Assert(instr->GetDst() != nullptr && instr->GetDst()->IsRegOpnd());
+
+    // Induction variables are always var syms.
+    StackSym * dstSym = instr->GetDst()->AsRegOpnd()->m_sym;
+    if (!dstSym->IsVar())
+    {
+        dstSym = dstSym->GetVarEquivSym(this->func);
+    }
+
+    // If this is an induction variable, then treat it the way the prepass would have if it had seen
+    // the assignment and the resulting change to the value number, and mark it as indeterminate.
+    for (Loop * loop = this->currentBlock->loop; loop; loop = loop->parent)
+    {
+        InductionVariable *iv = nullptr;
+        if (loop->inductionVariables && loop->inductionVariables->TryGetReference(dstSym->m_id, &iv))
+        {
+            iv->SetChangeIsIndeterminate();
+        }
+    }
+}
+
 GlobOpt::SymBoundType GlobOpt::DetermineSymBoundOffsetOrValueRelativeToLandingPad(
     StackSym *const sym,
     const bool landingPadValueIsLowerBound,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-frh8-wrx9-gc53ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-8137ghsaADVISORY
www.securityfocus.com/bid/103967mitrevdb-entryx_refsource_BID
www.securitytracker.com/id/1040844mitrevdb-entryx_refsource_SECTRACK
github.com/chakra-core/ChakraCore/commit/6e362fe94bc4bba7c8b8c6f819c1bee94c51893cghsaWEB
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8137ghsax_refsource_CONFIRMWEB
web.archive.org/web/20210124164218/http://www.securityfocus.com/bid/103967ghsaWEB
web.archive.org/web/20211204185256/http://www.securitytracker.com/id/1040844ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.018
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000