CVE-2018-8294
Description
A memory corruption vulnerability in ChakraCore and Microsoft Edge allows remote code execution via crafted web content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in ChakraCore and Microsoft Edge allows remote code execution via crafted web content.
Vulnerability
A remote code execution vulnerability exists in the way the Chakra scripting engine handles objects in memory. The bug affects both Microsoft Edge and the open-source ChakraCore JavaScript engine. It is classified as a memory corruption vulnerability. This CVE affects all versions of Microsoft Edge bundled with Windows 10 and ChakraCore prior to the July 2018 security update. [1][2]
Exploitation
An attacker can host a specially crafted website (or inject content into a compromised site) that, when visited by the victim through Microsoft Edge or an application embedding ChakraCore, triggers the memory corruption via the scripting engine. No additional user interaction beyond browsing the page is required. The attack is remote and exploits the object handling flaw in Chakra. [1][3]
Impact
Successful exploitation gives the attacker the ability to execute arbitrary code in the context of the current user. If the user has administrative rights, the attacker could install programs, view/change/delete data, or create new accounts with full user rights. The compromise occurs at the privilege level of the browsing user. [1][3]
Mitigation
Microsoft released a security update on July 10, 2018, to fix this vulnerability (part of the July 2018 Patch Tuesday). Users should apply the update via Windows Update or the Microsoft Update Catalog. For ChakraCore, Microsoft recommends updating to a patched version (1.11.x with the July 2018 security fix). No workaround is available. ChakraCore support ended March 2021. [1][3][4]
- NVD - CVE-2018-8294
- Microsoft Edge Scripting Engine CVE-2018-8294 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Object Memory Handling Errors Let Remote Users Execute Arbitrary Code and Bypass Security Restrictions
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.10.1 | 1.10.1 |
Affected products
3- Range: ChakraCore
Patches
17af07fdfb3cf[CVE-2018-8294] Edge - In Cross Context scenario check for new target first before marshalling the last parameter to a FrameDisplay - Internal
2 files changed · +7 −2
lib/Runtime/Base/CrossSite.cpp+6 −1 modified@@ -489,7 +489,12 @@ namespace Js { args.Values[i] = CrossSite::MarshalVar(targetScriptContext, args.Values[i]); } - if (args.HasExtraArg()) + if (args.HasNewTarget()) + { + // Last value is new.target + args.Values[count] = CrossSite::MarshalVar(targetScriptContext, args.GetNewTarget()); + } + else if (args.HasExtraArg()) { // The final eval arg is a frame display that needs to be marshaled specially. args.Values[count] = CrossSite::MarshalFrameDisplay(targetScriptContext, args.GetFrameDisplay());
lib/Runtime/Language/Arguments.h+1 −1 modified@@ -229,7 +229,7 @@ namespace Js FrameDisplay* GetFrameDisplay() const { - AssertOrFailFast(Info.Flags & CallFlags_ExtraArg); + AssertOrFailFast((Info.Flags & CallFlags_ExtraArg) && (!this->HasNewTarget())); // There is an extra arg, so values should have Count + 1 members return (FrameDisplay*)(this->Values[Info.Count]);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-gxxx-j8m7-hh7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8294ghsaADVISORY
- www.securityfocus.com/bid/104646mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041256mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/7af07fdfb3cf3ac2b21dd71bf565ab1135e62d4dghsaWEB
- github.com/chakra-core/ChakraCore/pull/5444ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8294ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124183944/http://www.securityfocus.com/bid/104646ghsaWEB
- web.archive.org/web/20211202002348/http://www.securitytracker.com/id/1041256ghsaWEB
News mentions
0No linked articles in our index yet.