CVE-2018-8288
Description
A memory corruption vulnerability in the Chakra scripting engine allows remote code execution via specially crafted ActiveX controls in Microsoft Edge, Internet Explorer 11, and ChakraCore.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in the Chakra scripting engine allows remote code execution via specially crafted ActiveX controls in Microsoft Edge, Internet Explorer 11, and ChakraCore.
Vulnerability
The scripting engine (Chakra) in Microsoft Edge, Internet Explorer 11, and ChakraCore prior to the July 2018 security updates contains a remote code execution vulnerability due to improper handling of objects in memory. This memory corruption can be triggered when a user loads specially crafted content, including ActiveX controls marked as safe for initialization, in an application that hosts the rendering engine (e.g., Microsoft Office documents or the WebBrowser control). Affected versions include all builds before the patches released on July 10, 2018. [1][2][3]
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a malicious file or visit a website hosting the crafted ActiveX control. No authentication is required, but user interaction is necessary. The attacker must create a malicious ActiveX control or crafted content that, when processed by the scripting engine, causes memory corruption. This can be delivered via a web page, email attachment, or any medium that triggers the rendering engine. [3]
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has administrative privileges, the attacker can gain full control of the affected system, install programs, view, change, or delete data, or create new accounts with full user rights. The impact is consistent with a remote code execution vulnerability. [2][3]
Mitigation
Microsoft released security updates on July 10, 2018, as part of the monthly Patch Tuesday, which address this vulnerability. Users should apply the latest cumulative updates for Internet Explorer 11 and Microsoft Edge (e.g., KB 4338829 for Edge, KB 4339093 for IE). For ChakraCore, Microsoft provided security updates until March 9, 2021, and recommends updating to the latest supported version. No workarounds are documented; applying the patch is the only mitigation. [1][3][4]
- Microsoft Internet Explorer and Edge CVE-2018-8288 Remote Memory Corruption Vulnerability
- NVD - CVE-2018-8288
- Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Bypass Security Restrictions
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.10.1 | 1.10.1 |
Affected products
4- Range: ChakraCore
- Range: Windows 10 for 32-bit Systems
Patches
1f9b1cded6631[CVE-2018-8288] Edge - Chakra JIT ImplicitCallFlags check bypass with Intl - Google, Inc.
1 file changed · +3 −10
lib/Runtime/Library/IntlEngineInterfaceExtensionObject.cpp+3 −10 modified@@ -742,18 +742,11 @@ namespace Js Js::Var args[] = { scriptContext->GetLibrary()->GetUndefined(), scriptContext->GetLibrary()->GetEngineInterfaceObject(), initType }; Js::CallInfo callInfo(Js::CallFlags_Value, _countof(args)); - // Clear disable implicit call bit as initialization code doesn't have any side effect - Js::ImplicitCallFlags saveImplicitCallFlags = scriptContext->GetThreadContext()->GetImplicitCallFlags(); - scriptContext->GetThreadContext()->ClearDisableImplicitFlags(); - Js::Arguments arguments(callInfo, args); - BEGIN_SAFE_REENTRANT_CALL(scriptContext->GetThreadContext()) + scriptContext->GetThreadContext()->ExecuteImplicitCall(function, Js::ImplicitCall_Accessor, [=]()->Js::Var { - JavascriptFunction::CallRootFunctionInScript(function, arguments); - } - END_SAFE_REENTRANT_CALL - - scriptContext->GetThreadContext()->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags)); + return JavascriptFunction::CallRootFunctionInScript(function, arguments); + }); // Delete prototypes on functions if initialized Intl object if (intlInitializationType == IntlInitializationType::Intl)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- www.exploit-db.com/exploits/45213/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-4f79-fxh8-vgq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8288ghsaADVISORY
- www.securityfocus.com/bid/104636mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041256mitrevdb-entryx_refsource_SECTRACK
- www.securitytracker.com/id/1041258mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/f9b1cded66314c52ab2de8e4e68efb854bd6b9aaghsaWEB
- github.com/chakra-core/ChakraCore/pull/5444ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8288ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124183729/http://www.securityfocus.com/bid/104636ghsaWEB
- web.archive.org/web/20211202002348/http://www.securitytracker.com/id/1041256ghsaWEB
- web.archive.org/web/20220120050525/http://www.securitytracker.com/id/1041258ghsaWEB
- www.exploit-db.com/exploits/45213ghsaWEB
News mentions
0No linked articles in our index yet.