CVE-2018-8286
Description
Chakra scripting engine in Microsoft Edge and ChakraCore suffers from a memory corruption vulnerability that allows remote code execution via crafted content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chakra scripting engine in Microsoft Edge and ChakraCore suffers from a memory corruption vulnerability that allows remote code execution via crafted content.
Vulnerability
A remote code execution vulnerability exists in the Chakra scripting engine as it handles objects in memory within Microsoft Edge and ChakraCore. The issue is a memory corruption flaw triggered during the GlobOpt::CaptureValues function, specifically in the handling of changed symbols in the JIT compiler code path. Affected versions include all builds of Microsoft Edge on Windows 10 (32-bit, x64-based, and earlier versions) and the ChakraCore project prior to commit 0ac4253 [1][2][3].
Exploitation
An attacker must deliver specially crafted content to a target user, typically via a malicious website or by hosting content in an application that uses Edge's rendering engine (e.g., an ActiveX control marked safe for initialization in a Microsoft Office document). No authentication or special privileges are required; the victim merely needs to load the crafted content (e.g., visit a webpage). The attacker leverages the memory corruption to inject and execute arbitrary code in the context of the user's browser process [1][4].
Impact
Successful exploitation grants the attacker arbitrary code execution on the target system. This can lead to full compromise of the user's machine, including data theft, installation of malware, and further propagation within the network. The attack executes with the same privileges as the current user [1][4].
Mitigation
Microsoft released a security update on July 10, 2018 (Patch Tuesday) addressing CVE-2018-8286 for supported versions of Microsoft Edge and Windows. Users should apply the latest cumulative updates from Microsoft Update. For ChakraCore, the fix is available in commit 0ac4253 and later. No documented workarounds exist; the only mitigation is to apply the vendor-supplied patches. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1][2][3][4].
- NVD - CVE-2018-8286
- Microsoft Edge Scripting Engine CVE-2018-8286 Remote Memory Corruption Vulnerability
- [CVE-2018-8286] [ChakraCore] Edge - Chakra Type Confusion - Internal · chakra-core/ChakraCore@0ac4253
- Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Bypass Security Restrictions
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.10.1 | 1.10.1 |
Affected products
3- Range: ChakraCore
Patches
10ac4253cbc2d[CVE-2018-8286] [ChakraCore] Edge - Chakra Type Confusion - Internal
2 files changed · +30 −11
lib/Backend/GlobOptBailOut.cpp+26 −7 modified@@ -22,7 +22,8 @@ GlobOpt::CaptureCopyPropValue(BasicBlock * block, Sym * sym, Value * val, SListB void GlobOpt::CaptureValuesFromScratch(BasicBlock * block, SListBase<ConstantStackSymValue>::EditingIterator & bailOutConstValuesIter, - SListBase<CopyPropSyms>::EditingIterator & bailOutCopySymsIter) + SListBase<CopyPropSyms>::EditingIterator & bailOutCopySymsIter, + BVSparse<JitArenaAllocator>* argsToCapture) { Sym * sym = nullptr; Value * value = nullptr; @@ -49,6 +50,11 @@ GlobOpt::CaptureValuesFromScratch(BasicBlock * block, } NEXT_GLOBHASHTABLE_ENTRY; + if (argsToCapture) + { + block->globOptData.changedSyms->Or(argsToCapture); + } + FOREACH_BITSET_IN_SPARSEBV(symId, block->globOptData.changedSyms) { HashBucket<Sym*, Value*> * bucket = block->globOptData.symToValueMap->GetBucket(symId); @@ -80,7 +86,8 @@ GlobOpt::CaptureValuesFromScratch(BasicBlock * block, void GlobOpt::CaptureValuesIncremental(BasicBlock * block, SListBase<ConstantStackSymValue>::EditingIterator & bailOutConstValuesIter, - SListBase<CopyPropSyms>::EditingIterator & bailOutCopySymsIter) + SListBase<CopyPropSyms>::EditingIterator & bailOutCopySymsIter, + BVSparse<JitArenaAllocator>* argsToCapture) { CapturedValues * currCapturedValues = block->globOptData.capturedValues; SListBase<ConstantStackSymValue>::Iterator iterConst(currCapturedValues ? &currCapturedValues->constantValues : nullptr); @@ -90,6 +97,11 @@ GlobOpt::CaptureValuesIncremental(BasicBlock * block, block->globOptData.changedSyms->Set(Js::Constants::InvalidSymID); + if (argsToCapture) + { + block->globOptData.changedSyms->Or(argsToCapture); + } + FOREACH_BITSET_IN_SPARSEBV(symId, block->globOptData.changedSyms) { Value * val = nullptr; @@ -225,7 +237,7 @@ GlobOpt::CaptureValuesIncremental(BasicBlock * block, void -GlobOpt::CaptureValues(BasicBlock *block, BailOutInfo * bailOutInfo) +GlobOpt::CaptureValues(BasicBlock *block, BailOutInfo * bailOutInfo, BVSparse<JitArenaAllocator>* argsToCapture) { if (!this->func->DoGlobOptsForGeneratorFunc()) { @@ -244,11 +256,11 @@ GlobOpt::CaptureValues(BasicBlock *block, BailOutInfo * bailOutInfo) if (!block->globOptData.capturedValues) { - CaptureValuesFromScratch(block, bailOutConstValuesIter, bailOutCopySymsIter); + CaptureValuesFromScratch(block, bailOutConstValuesIter, bailOutCopySymsIter, argsToCapture); } else { - CaptureValuesIncremental(block, bailOutConstValuesIter, bailOutCopySymsIter); + CaptureValuesIncremental(block, bailOutConstValuesIter, bailOutCopySymsIter, argsToCapture); } // attach capturedValues to bailOutInfo @@ -892,6 +904,8 @@ GlobOpt::FillBailOutInfo(BasicBlock *block, BailOutInfo * bailOutInfo) { AssertMsg(!this->isCallHelper, "Bail out can't be inserted the middle of CallHelper sequence"); + BVSparse<JitArenaAllocator>* argsToCapture = nullptr; + bailOutInfo->liveVarSyms = block->globOptData.liveVarSyms->CopyNew(this->func->m_alloc); bailOutInfo->liveFloat64Syms = block->globOptData.liveFloat64Syms->CopyNew(this->func->m_alloc); // The live int32 syms in the bailout info are only the syms resulting from lossless conversion to int. If the int32 value @@ -971,7 +985,12 @@ GlobOpt::FillBailOutInfo(BasicBlock *block, BailOutInfo * bailOutInfo) sym = opnd->GetStackSym(); Assert(this->currentBlock->globOptData.FindValue(sym)); // StackSym args need to be re-captured - this->currentBlock->globOptData.SetChangedSym(sym->m_id); + if (!argsToCapture) + { + argsToCapture = JitAnew(this->tempAlloc, BVSparse<JitArenaAllocator>, this->tempAlloc); + } + + argsToCapture->Set(sym->m_id); } Assert(totalOutParamCount != 0); @@ -1019,7 +1038,7 @@ GlobOpt::FillBailOutInfo(BasicBlock *block, BailOutInfo * bailOutInfo) // Save the constant values that we know so we can restore them directly. // This allows us to dead store the constant value assign. - this->CaptureValues(block, bailOutInfo); + this->CaptureValues(block, bailOutInfo, argsToCapture); } void
lib/Backend/GlobOpt.h+4 −4 modified@@ -849,15 +849,15 @@ class GlobOpt static void TrackByteCodeSymUsed(IR::Opnd * opnd, BVSparse<JitArenaAllocator> * instrByteCodeStackSymUsed, PropertySym **pPropertySymUse); static void TrackByteCodeSymUsed(IR::RegOpnd * opnd, BVSparse<JitArenaAllocator> * instrByteCodeStackSymUsed); static void TrackByteCodeSymUsed(StackSym * sym, BVSparse<JitArenaAllocator> * instrByteCodeStackSymUsed); - void CaptureValues(BasicBlock *block, BailOutInfo * bailOutInfo); + void CaptureValues(BasicBlock *block, BailOutInfo * bailOutInfo, BVSparse<JitArenaAllocator>* argsToCapture); void CaptureValuesFromScratch( BasicBlock * block, - SListBase<ConstantStackSymValue>::EditingIterator & bailOutConstValuesIter, - SListBase<CopyPropSyms>::EditingIterator & bailOutCopyPropIter); + SListBase<ConstantStackSymValue>::EditingIterator & bailOutConstValuesIter, SListBase<CopyPropSyms>::EditingIterator & bailOutCopyPropIter, + BVSparse<JitArenaAllocator>* argsToCapture); void CaptureValuesIncremental( BasicBlock * block, SListBase<ConstantStackSymValue>::EditingIterator & bailOutConstValuesIter, - SListBase<CopyPropSyms>::EditingIterator & bailOutCopyPropIter); + SListBase<CopyPropSyms>::EditingIterator & bailOutCopyPropIter, BVSparse<JitArenaAllocator>* argsToCapture); void CaptureCopyPropValue(BasicBlock * block, Sym * sym, Value * val, SListBase<CopyPropSyms>::EditingIterator & bailOutCopySymsIter); void CaptureArguments(BasicBlock *block, BailOutInfo * bailOutInfo, JitArenaAllocator *allocator); void CaptureByteCodeSymUses(IR::Instr * instr);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-vwqh-cmvp-6694ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8286ghsaADVISORY
- www.securityfocus.com/bid/104643mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041256mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/0ac4253cbc2d7f63e638a4930b552814bd64aa5dghsaWEB
- github.com/chakra-core/ChakraCore/pull/5444ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8286ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124183857/http://www.securityfocus.com/bid/104643ghsaWEB
- web.archive.org/web/20211202002348/http://www.securitytracker.com/id/1041256ghsaWEB
News mentions
0No linked articles in our index yet.