High severityNVD Advisory· Published May 9, 2018· Updated Aug 5, 2024

CVE-2018-8139

Description

A memory corruption vulnerability in ChakraCore and Microsoft Edge allows remote code execution via specially crafted web content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in ChakraCore and Microsoft Edge allows remote code execution via specially crafted web content.

Vulnerability

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. This is a scripting engine memory corruption vulnerability, identified as CVE-2018-8139, affecting Microsoft Edge and ChakraCore [1]. The vulnerability occurs when the scripting engine improperly handles objects in memory, leading to memory corruption that can be exploited. Affected versions include unspecified builds of Microsoft Edge on Windows 10 and ChakraCore before the patch released on May 8, 2018 [2][3].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website (or by leveraging a compromised website that accepts user-provided content) and convincing a user to visit that website in Microsoft Edge. No authentication or special privileges are required; the attacker only needs to get the target user to load the malicious content. The vulnerability is triggered when the scripting engine processes the specially crafted objects in memory, leading to corruption [1][3].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user is logged on with administrative user rights, the attacker could take control of the affected system, install programs, view, change, or delete data, and create new accounts with full user rights. Impact is limited to the privileges of the targeted user [1][3].

Mitigation

Microsoft released a security update as part of the May 2018 Patch Tuesday, addressing this vulnerability in Microsoft Edge and ChakraCore. Users should apply the update provided in Microsoft Security Bulletin MS18-XXX (specific bulletin not cited in references) [2][3]. The fix is included in ChakraCore version updates after May 8, 2018. ChakraCore 1.11 received security updates until March 9, 2021; the project is now community-maintained [4]. No workarounds are documented; applying the official patch is the recommended mitigation.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.ChakraCoreNuGet	< 1.8.4	1.8.4

Affected products

ghsa-coords
pkg:nuget/microsoft.chakracore
Range: < 1.8.4
Microsoft/Chakracorecpe-rescue
Range: ChakraCore
Microsoft/Edgecpe-rescue
Range: Windows 10 Version 1803 for 32-bit Systems

Patches

ee5dfabc5172

[CVE-2018-8139] Edge - Chakra type confusion in boundfunction handling - Internal

https://github.com/chakra-core/ChakraCoreJimmy ThomsonApr 11, 2018via ghsa

commit

1 file changed · +9 −2

lib/Runtime/Library/BoundFunction.cpp+9 −2 modified

@@ -155,12 +155,12 @@ namespace Js
             // OACR thinks that this can change between here and the check in the for loop below
             const unsigned int argCount = args.Info.Count;
 
-            if ((boundFunction->count + argCount) > CallInfo::kMaxCountArgs)
+            if ((boundFunction->count + args.GetArgCountWithExtraArgs()) > CallInfo::kMaxCountArgs)
             {
                 JavascriptError::ThrowRangeError(scriptContext, JSERR_ArgListTooLarge);
             }
 
-            Field(Var) *newValues = RecyclerNewArray(scriptContext->GetRecycler(), Field(Var), boundFunction->count + argCount);
+            Field(Var) *newValues = RecyclerNewArray(scriptContext->GetRecycler(), Field(Var), boundFunction->count + args.GetArgCountWithExtraArgs());
 
             uint index = 0;
 
@@ -188,8 +188,15 @@ namespace Js
                 newValues[index++] = args[i];
             }
 
+            if (args.HasExtraArg())
+            {
+                newValues[index++] = args.Values[argCount];
+            }
+
             actualArgs = Arguments(args.Info, unsafe_write_barrier_cast<Var*>(newValues));
             actualArgs.Info.Count = boundFunction->count + argCount;
+
+            Assert(index == actualArgs.GetArgCountWithExtraArgs());
         }
         else
         {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.exploit-db.com/exploits/45012/mitreexploitx_refsource_EXPLOIT-DB
github.com/advisories/GHSA-5hxp-3237-j2hpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-8139ghsaADVISORY
www.securityfocus.com/bid/103977mitrevdb-entryx_refsource_BID
www.securitytracker.com/id/1040844mitrevdb-entryx_refsource_SECTRACK
github.com/chakra-core/ChakraCore/commit/ee5dfabc51728f97f6d69e89c88af088251b6b76ghsaWEB
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8139ghsax_refsource_CONFIRMWEB
web.archive.org/web/20210124164247/http://www.securityfocus.com/bid/103977ghsaWEB
web.archive.org/web/20211204185256/http://www.securitytracker.com/id/1040844ghsaWEB
www.exploit-db.com/exploits/45012ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.062
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000