VYPR
← All advisories
High severityNVD Advisory· Published May 9, 2018· Updated Aug 5, 2024

CVE-2018-8145

CVE-2018-8145

Description

An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user's computer or data, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge, Internet Explorer 10. This CVE ID is unique from CVE-2018-0943, CVE-2018-8130, CVE-2018-8133, CVE-2018-8177.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Chakra scripting engine memory corruption allows remote attackers to read sensitive memory in Edge/IE and ChakraCore via crafted content.

Vulnerability

CVE-2018-8145 is an information disclosure vulnerability in the Chakra scripting engine that affects ChakraCore, Internet Explorer 10, Internet Explorer 11, and Microsoft Edge [2]. The bug occurs when Chakra improperly discloses the contents of its memory, falling under the category of 'Chakra Scripting Engine Memory Corruption Vulnerability' [2]. Affected versions include those present in various Windows 10 releases and older Windows versions as listed in the security advisory [1].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website (or by taking control of a legitimate website that accepts user-provided content) and convincing a user to visit that website [1][3]. No special authentication or network position is required beyond standard web browsing. The attacker does not need to be on the same network segment; the attack is fully remote via a web browser [1]. The crafted content triggers an object memory handling error in the Chakra scripting engine, which then allows the attacker to access potentially sensitive memory contents [3].

Impact

Successful exploitation results in information disclosure: the attacker can read arbitrary memory contents on the target system [2][3]. This leaked information could provide the attacker with further knowledge to compromise the user's computer or data, potentially escalating the attack [2]. The scope is limited to disclosure of memory contents; it does not directly allow code execution, but it can aid subsequent attacks.

Mitigation

Microsoft released security updates for the affected products on May 8, 2018, as part of their monthly Patch Tuesday [1][3]. Users should apply the latest updates for Internet Explorer, Microsoft Edge, and ChakraCore (version 1.11 and later) promptly. ChakraCore 1.11 received security updates until March 9, 2021; after that date, it is End-of-Life and no longer supported [4]. No workaround is available if patches cannot be applied; upgrading to a supported version is the only mitigation.

References
  1. Microsoft ChakraCore Scripting Engine CVE-2018-8145 Remote Memory Corruption Vulnerability
  2. NVD - CVE-2018-8145
  3. Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
  4. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.8.41.8.4

Affected products

5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.