VYPR
← All advisories
High severityNVD Advisory· Published Jun 14, 2018· Updated Aug 5, 2024

CVE-2018-8227

CVE-2018-8227

Description

Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via a crafted website.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via a crafted website.

Vulnerability

A remote code execution vulnerability exists in the Chakra scripting engine used by Microsoft Edge and ChakraCore, identified as CVE-2018-8227. The bug is a memory corruption issue that occurs when the engine improperly handles objects in memory [1][2]. Affected versions include Microsoft Edge on all supported Windows 10 editions and ChakraCore prior to the June 2018 security update [2][3]. The vulnerability is distinct from CVE-2018-8229 [1].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website that, when visited by a user using an affected browser, triggers the memory corruption in the Chakra engine. No additional authentication or user interaction beyond browsing to the malicious site is required [4]. The attacker must persuade the user to navigate to the crafted content, typically through a link or by embedding the content in an ad or iframe.

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has administrative privileges, the attacker could gain full control of the system, install programs, view, change, or delete data, or create new accounts [4]. The impact is limited to the integrity, confidentiality, and availability of the user's system and data.

Mitigation

Microsoft released a security update in June 2018 as part of Patch Tuesday, which addresses this vulnerability in Microsoft Edge by correcting how the Chakra scripting engine handles objects in memory [2][4]. Users should apply the update for their Windows 10 version. For ChakraCore, the fix is included in updates to the library; users should upgrade to the latest supported version. As of 2021, ChakraCore is in community maintenance mode, and no further security updates are planned [3].

References
  1. NVD - CVE-2018-8227
  2. Microsoft Chakra Scripting Engine CVE-2018-8227 Remote Memory Corruption Vulnerability
  3. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
  4. Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.8.51.8.5

Affected products

3

Patches

1
8af718902bfd

[CVE-2018-8227] Edge - Bad input to JIT process causes OOB write - Internal

https://github.com/chakra-core/ChakraCoreMichael HolmanMay 24, 2018via ghsa
commit
1 file changed · +1 1
  • lib/Backend/Func.cpp+1 1 modified
    @@ -262,7 +262,7 @@ Func::Func(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
         ObjTypeSpecFldInfo * info = GetWorkItem()->GetJITTimeInfo()->GetObjTypeSpecFldInfo(i);
         if (info != nullptr)
         {
-            Assert(info->GetObjTypeSpecFldId() < GetTopFunc()->GetWorkItem()->GetJITTimeInfo()->GetGlobalObjTypeSpecFldInfoCount());
+            AssertOrFailFast(info->GetObjTypeSpecFldId() < GetTopFunc()->GetWorkItem()->GetJITTimeInfo()->GetGlobalObjTypeSpecFldInfoCount());
             GetTopFunc()->m_globalObjTypeSpecFldInfoArray[info->GetObjTypeSpecFldId()] = info;
         }
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.