CVE-2018-8287
Description
A memory corruption vulnerability in Microsoft browsers' scripting engine allows remote code execution via specially crafted web content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in Microsoft browsers' scripting engine allows remote code execution via specially crafted web content.
Vulnerability
A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability.' Affected products include ChakraCore, Internet Explorer 11, Microsoft Edge, and Internet Explorer 10 [1][2]. The vulnerability can be triggered through a specially crafted ActiveX control marked safe for initialization [3].
Exploitation
An attacker must host a malicious website (or leverage a compromised site) that contains specially crafted content. The user must then browse to the site using an affected browser. No authentication is required, and the vulnerability can be exploited without user interaction beyond visiting the page [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has administrative rights, the attacker could take control of the system, including installing programs, viewing/changing data, or creating new accounts [2].
Mitigation
Microsoft released security updates on July 10, 2018, as part of Patch Tuesday. Users should apply the latest updates for Internet Explorer, Microsoft Edge, and ChakraCore. For ChakraCore, Microsoft provided security updates until March 2021; after that, the project is community-maintained and no longer receives official security patches [4].
- Microsoft Internet Explorer and Edge CVE-2018-8287 Remote Memory Corruption Vulnerability
- NVD - CVE-2018-8287
- Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Bypass Security Restrictions
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.10.1 | 1.10.1 |
Affected products
5- Range: ChakraCore
Windows Server 2012+ 1 more
- (no CPE)range: Windows Server 2012
- (no CPE)range: Windows 10 for 32-bit Systems
Patches
1fa89a7031e75[CVE-2018-8287] Edge - Chakra Internet Explorer - Use after free in jscript9.dll after closing WebBrowserControl - Internal.
2 files changed · +26 −0
lib/Runtime/Base/ThreadServiceWrapperBase.cpp+7 −0 modified@@ -78,6 +78,13 @@ bool ThreadServiceWrapperBase::ScheduleIdleCollect(uint ticks, bool scheduleAsTa bool ThreadServiceWrapperBase::IdleCollect() { + // Tracking service does not AddRef/Release the thread service and only keeps a function pointer and context parameter (this pointer) + // to execute the IdleCollect callback. It is possible that the tracking service gets destroyed as part of the collection + // during this IdleCollect. If that happens then we need to make sure ThreadService (which may be owned by the tracking service) + // is kept alive until this callback completes. Any pending timer is killed in the thread service destructor so we should not get + // any new callbacks after the thread service is destroyed. + AutoAddRefReleaseThreadService autoThreadServiceKeepAlive(this); + Assert(hasScheduledIdleCollect); IDLE_COLLECT_VERBOSE_TRACE(_u("IdleCollect- reset hasScheduledIdleCollect\n")); hasScheduledIdleCollect = false;
lib/Runtime/Base/ThreadServiceWrapperBase.h+19 −0 modified@@ -41,10 +41,29 @@ class ThreadServiceWrapperBase : public ThreadServiceWrapper virtual bool OnScheduleIdleCollect(uint delta, bool scheduleAsTask) = 0; virtual void OnFinishIdleCollect() = 0; virtual bool ShouldFinishConcurrentCollectOnIdleCallback() = 0; + virtual void AddRefThreadService() { /* do nothing */ }; + virtual void ReleaseThreadService() { /* do nothing */ }; ThreadContext *GetThreadContext() { return threadContext; } private: + class AutoAddRefReleaseThreadService + { + public: + AutoAddRefReleaseThreadService(ThreadServiceWrapperBase * threadService) + { + this->threadService = threadService; + threadService->AddRefThreadService(); + } + + ~AutoAddRefReleaseThreadService() + { + threadService->ReleaseThreadService(); + } + + ThreadServiceWrapperBase * threadService; + }; + static const unsigned int IdleTicks = 1000; // 1 second static const unsigned int IdleFinishTicks = 100; // 100 ms;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-p97q-j98q-f98wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8287ghsaADVISORY
- www.securityfocus.com/bid/104634mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041256mitrevdb-entryx_refsource_SECTRACK
- www.securitytracker.com/id/1041258mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/fa89a7031e75ca8b4a595765e897e8fc0d9fae76ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5444ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8287ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210125211352/http://www.securityfocus.com/bid/104634ghsaWEB
- web.archive.org/web/20211202002348/http://www.securitytracker.com/id/1041256ghsaWEB
- web.archive.org/web/20220120050525/http://www.securitytracker.com/id/1041258ghsaWEB
News mentions
0No linked articles in our index yet.