CVE-2018-8283
Description
ChakraCore scripting engine memory corruption vulnerability allows remote code execution when handling objects with setter-only property descriptors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ChakraCore scripting engine memory corruption vulnerability allows remote code execution when handling objects with setter-only property descriptors.
Vulnerability
A remote code execution vulnerability exists in the way the ChakraCore scripting engine handles objects in memory, specifically when processing property accessor descriptors. If a property descriptor contains a setter without a corresponding getter (a stale entry), the engine can corrupt memory. All versions of ChakraCore prior to the July 2018 security update are affected [1][4].
Exploitation
An attacker can craft a JavaScript object with a property that has a setter but no getter, causing the engine to incorrectly handle a stale entry in the property map. This can be triggered by hosting a malicious website that loads in a browser using ChakraCore (such as Microsoft Edge). No special privileges are required; user interaction is limited to visiting the malicious page [2][3].
Impact
Successful exploitation results in remote code execution in the context of the current process. An attacker can gain full control over the affected system, including the ability to install programs, view/change/delete data, or create new accounts with full user rights [1][4].
Mitigation
Microsoft released a security update on July 10, 2018, which includes a fix for this vulnerability. Users should update ChakraCore to version 1.10 or later. No workarounds are available. The vulnerability is part of a larger set of fixes addressed in the July 2018 Security Update (Pull Request #5444) [2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.10.1 | 1.10.1 |
Affected products
2- Range: ChakraCore
Patches
1b2f092ea4274[CVE-2018-8283] Edge - ChakraCore Memory Corruption - Individual
1 file changed · +5 −1
lib/Runtime/Types/PathTypeHandler.cpp+5 −1 modified@@ -1452,7 +1452,11 @@ namespace Js DictionaryPropertyDescriptor<PropertyIndex> *descriptor; bool result = newTypeHandler->propertyMap->TryGetReference(propertyRecord, &descriptor); Assert(result); - Assert(attributes[descriptor->GetDataPropertyIndex<false>()] & ObjectSlotAttr_Accessor); + if (!(attributes[descriptor->GetDataPropertyIndex<false>()] & ObjectSlotAttr_Accessor)) + { + // Setter without a getter; this is a stale entry, so ignore it + continue; + } Assert(oldTypeHandler->GetSetterSlotIndex(descriptor->GetDataPropertyIndex<false>()) == newTypeHandler->nextPropertyIndex); descriptor->ConvertToGetterSetter(newTypeHandler->nextPropertyIndex); newTypeHandler->ClearHasOnlyWritableDataProperties();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-ch84-pxpj-7hhmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8283ghsaADVISORY
- www.securityfocus.com/bid/104633mitrevdb-entryx_refsource_BID
- github.com/chakra-core/ChakraCore/commit/b2f092ea42744d569fd102e8dd85d5524269bdd0ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5444ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8283ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210125211350/http://www.securityfocus.com/bid/104633ghsaWEB
News mentions
0No linked articles in our index yet.