VYPR
← All advisories
High severityNVD Advisory· Published Aug 15, 2018· Updated Aug 5, 2024

CVE-2018-8266

CVE-2018-8266

Description

A memory corruption vulnerability in Microsoft Edge's Chakra scripting engine allows remote code execution via crafted web content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in Microsoft Edge's Chakra scripting engine allows remote code execution via crafted web content.

Vulnerability

A remote code execution vulnerability exists in the Chakra scripting engine used by Microsoft Edge and ChakraCore. The flaw is a memory corruption issue that occurs when the engine improperly handles objects in memory, leading to a type confusion or similar condition. Affected versions include all supported releases of Microsoft Edge on Windows 10 and ChakraCore. This CVE (CVE-2018-8266) is distinct from CVE-2018-8380, CVE-2018-8381, and CVE-2018-8384 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious webpage containing JavaScript that triggers the memory corruption. The victim must visit this page using Microsoft Edge. No additional user interaction is required beyond navigation. The attacker does not need any special network position or authentication; the exploit can be delivered via a website, email link, or embedded content [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. This could lead to full compromise of the affected system, including the ability to install programs, view, change, or delete data, or create new accounts. The attack achieves remote code execution with user-level privileges [1][2][4].

Mitigation

Microsoft released security updates on August 14, 2018, as part of the monthly Patch Tuesday. Users should apply the update for Microsoft Edge and ChakraCore immediately. The commit implementing the fix is available in the ChakraCore repository [3]. No workarounds are available; the only mitigation is to install the patch. The vulnerability is not listed in the KEV catalog as of now [4].

References
  1. NVD - CVE-2018-8266
  2. Microsoft Edge Chakra Scripting Engine CVE-2018-8266 Remote Memory Corruption Vulnerability
  3. [CVE-2018-8266] Edge - RCE bug in Microsoft Edge - Individual · chakra-core/ChakraCore@d52c72d
  4. Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Gain Elevated Privileges, and Bypass Security Restrictions on the Target System

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.10.21.10.2

Affected products

3

Patches

1
d52c72d247cf

[CVE-2018-8266] Edge - RCE bug in Microsoft Edge - Individual

https://github.com/chakra-core/ChakraCorePaul LeathersJun 21, 2018via ghsa
commit
5 files changed · +54 8
  • lib/Backend/BackwardPass.cpp+5 0 modified
    @@ -2245,6 +2245,11 @@ BackwardPass::DeadStoreTypeCheckBailOut(IR::Instr * instr)
     IR::PropertySymOpnd *propertySymOpnd =
         (instr->GetDst() && instr->GetDst()->IsSymOpnd()) ? instr->GetDst()->AsPropertySymOpnd() : instr->GetSrc1()->AsPropertySymOpnd();
 
+    if (propertySymOpnd->TypeCheckRequired())
+    {
+        return;
+    }
+
     bool isTypeCheckProtected = false;
     IR::BailOutKind bailOutKind;
     if (GlobOpt::NeedsTypeCheckBailOut(instr, propertySymOpnd, propertySymOpnd == instr->GetDst(), &isTypeCheckProtected, &bailOutKind))
  • lib/Backend/GlobOptFields.cpp+28 3 modified
    @@ -788,17 +788,34 @@ GlobOpt::FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock
         {
             this->KillObjectHeaderInlinedTypeSyms(block, isObjTypeSpecialized, opndId);
         }
+        else if (!isObjTypeChecked && this->HasLiveObjectHeaderInlinedTypeSym(block, true, opndId))
+        {
+            opnd->SetTypeCheckRequired(true);
+        }
     }
 
     return isObjTypeSpecialized;
 }
 
 void
 GlobOpt::KillObjectHeaderInlinedTypeSyms(BasicBlock *block, bool isObjTypeSpecialized, SymID opndId)
+{
+    this->MapObjectHeaderInlinedTypeSymsUntil(block, isObjTypeSpecialized, opndId, [&](SymID symId)->bool  { this->currentBlock->globOptData.liveFields->Clear(symId); return false; });
+}
+
+bool
+GlobOpt::HasLiveObjectHeaderInlinedTypeSym(BasicBlock *block, bool isObjTypeSpecialized, SymID opndId)
+{
+    return this->MapObjectHeaderInlinedTypeSymsUntil(block, true, opndId, [&](SymID symId)->bool { return this->currentBlock->globOptData.liveFields->Test(symId); });
+}
+
+template<class Fn>
+bool
+GlobOpt::MapObjectHeaderInlinedTypeSymsUntil(BasicBlock *block, bool isObjTypeSpecialized, SymID opndId, Fn fn)
 {
     if (this->objectTypeSyms == nullptr)
     {
-        return;
+        return false;
     }
 
     FOREACH_BITSET_IN_SPARSEBV(symId, this->objectTypeSyms)
@@ -821,7 +838,10 @@ GlobOpt::KillObjectHeaderInlinedTypeSyms(BasicBlock *block, bool isObjTypeSpecia
                 {
                     if (type->GetTypeHandler()->IsObjectHeaderInlinedTypeHandler())
                     {
-                        this->currentBlock->globOptData.liveFields->Clear(symId);
+                        if (fn(symId))
+                        {
+                            return true;
+                        }
                     }
                 }
             }
@@ -835,7 +855,10 @@ GlobOpt::KillObjectHeaderInlinedTypeSyms(BasicBlock *block, bool isObjTypeSpecia
                     {
                         if (type->GetTypeHandler()->IsObjectHeaderInlinedTypeHandler())
                         {
-                            this->currentBlock->globOptData.liveFields->Clear(symId);
+                            if (fn(symId))
+                            {
+                                return true;
+                            }
                             break;
                         }
                     }
@@ -844,6 +867,8 @@ GlobOpt::KillObjectHeaderInlinedTypeSyms(BasicBlock *block, bool isObjTypeSpecia
         }
     }
     NEXT_BITSET_IN_SPARSEBV;
+
+    return false;
 }
 
 bool
  • lib/Backend/GlobOpt.h+3 0 modified
    @@ -938,6 +938,9 @@ class GlobOpt
     template<bool makeChanges>
     bool                    ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool updateExistingValue, bool* emitsTypeCheckOut = nullptr, bool* changesTypeValueOut = nullptr, bool *isObjTypeChecked = nullptr);
     void                    KillObjectHeaderInlinedTypeSyms(BasicBlock *block, bool isObjTypeSpecialized, SymID symId = SymID_Invalid);
+    bool                    HasLiveObjectHeaderInlinedTypeSym(BasicBlock *block, bool isObjTypeSpecialized, SymID symId = SymID_Invalid);
+    template<class Fn>
+    bool                    MapObjectHeaderInlinedTypeSymsUntil(BasicBlock *block, bool isObjTypeSpecialized, SymID opndId, Fn fn);
     void                    ValueNumberObjectType(IR::Opnd *dstOpnd, IR::Instr *instr);
     void                    SetSingleTypeOnObjectTypeValue(Value* value, const JITTypeHolder type);
     void                    SetTypeSetOnObjectTypeValue(Value* value, Js::EquivalentTypeSet* typeSet);
  • lib/Backend/Lower.cpp+6 5 modified
    @@ -7380,7 +7380,7 @@ Lowerer::GenerateStFldWithCachedType(IR::Instr *instrStFld, bool* continueAsHelp
 
     if (hasTypeCheckBailout)
     {
-        AssertMsg(PHASE_ON1(Js::ObjTypeSpecIsolatedFldOpsWithBailOutPhase) || !propertySymOpnd->IsTypeDead(),
+        AssertMsg(PHASE_ON1(Js::ObjTypeSpecIsolatedFldOpsWithBailOutPhase) || !propertySymOpnd->IsTypeDead() || propertySymOpnd->TypeCheckRequired(),
             "Why does a field store have a type check bailout, if its type is dead?");
 
         if (instrStFld->GetBailOutInfo()->bailOutInstr != instrStFld)
@@ -7442,10 +7442,11 @@ Lowerer::GenerateCachedTypeCheck(IR::Instr *instrChk, IR::PropertySymOpnd *prope
     // cache and no type check bailout. In the latter case, we can wind up doing expensive failed equivalence checks
     // repeatedly and never rejit.
     bool doEquivTypeCheck =
-        propertySymOpnd->HasEquivalentTypeSet() &&
-        !(propertySymOpnd->HasFinalType() && propertySymOpnd->HasInitialType()) &&
-        !propertySymOpnd->MustDoMonoCheck() &&
-        (propertySymOpnd->IsPoly() || instrChk->HasTypeCheckBailOut());
+        (instrChk->HasEquivalentTypeCheckBailOut() && propertySymOpnd->TypeCheckRequired()) ||
+        (propertySymOpnd->HasEquivalentTypeSet() &&
+         !(propertySymOpnd->HasFinalType() && propertySymOpnd->HasInitialType()) &&
+         !propertySymOpnd->MustDoMonoCheck() &&
+         (propertySymOpnd->IsPoly() || instrChk->HasTypeCheckBailOut()));
     Assert(doEquivTypeCheck || !instrChk->HasEquivalentTypeCheckBailOut());
 
     // Create and initialize the property guard if required. Note that for non-shared monomorphic checks we can refer
  • lib/Backend/Opnd.h+12 0 modified
    @@ -647,6 +647,7 @@ class PropertySymOpnd sealed : public SymOpnd
                     bool initialTypeChecked: 1;
                     bool typeMismatch: 1;
                     bool writeGuardChecked: 1;
+                    bool typeCheckRequired: 1;
                 };
                 uint8 typeCheckSeqFlags;
             };
@@ -1014,6 +1015,17 @@ class PropertySymOpnd sealed : public SymOpnd
         this->writeGuardChecked = value;
     }
 
+    bool TypeCheckRequired() const
+    {
+        return this->typeCheckRequired;
+    }
+
+    void SetTypeCheckRequired(bool value)
+    {
+        Assert(IsTypeCheckSeqCandidate());
+        this->typeCheckRequired = value;
+    }
+
     uint16 GetObjTypeSpecFlags() const
     {
         return this->objTypeSpecFlags;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.