CVE-2018-8355
Description
A remote code execution vulnerability in ChakraCore and Microsoft browsers due to improper handling of objects in memory, leading to memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in ChakraCore and Microsoft browsers due to improper handling of objects in memory, leading to memory corruption.
Vulnerability
A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, known as a "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, and Microsoft Edge [1][2]. The issue is a type confusion with localeCompare, as seen in the fix commit [4], where inline handling of JavascriptString_LocaleCompare was removed, indicating that the JIT compiler improperly cached or inlined the function, leading to memory corruption. The vulnerability is present in versions prior to the security update released on August 14, 2018 [1][3].
Exploitation
To exploit this vulnerability, an attacker would need to host a specially crafted website (or leverage a compromised website that accepts user-provided content) and convince a user to visit it [1][3]. No additional privileges or authentication are required; the attacker can trigger the memory corruption via the browser's scripting engine when processing JavaScript. The user interaction is limited to clicking a link or visiting the malicious site.
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user [1][2]. If the current user is logged on with administrative privileges, the attacker could take control of the affected system, install programs, view, change, or delete data, or create new accounts with full user rights. The impact is remote code execution, leading to full compromise of confidentiality, integrity, and availability.
Mitigation
Microsoft released security updates on August 14, 2018, which fix this vulnerability [1][3]. Users should apply the cumulative security update for Internet Explorer and Edge, or update ChakraCore to the latest version containing the fix commit [4]. No workarounds are documented; the vendor confirmed the fix is available.
- Microsoft Internet Explorer and Edge CVE-2018-8355 Remote Memory Corruption Vulnerability
- NVD - CVE-2018-8355
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Gain Elevated Privileges, and Bypass Security Restrictions on the Target System
- [CVE-2018-8355] Edge - Chakra: JIT: Type confusion with localeCompare… · chakra-core/ChakraCore@cf3ef50
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.10.2 | 1.10.2 |
Affected products
4- Range: ChakraCore
- Range: Windows 10 for 32-bit Systems
Patches
1cf3ef506236d[CVE-2018-8355] Edge - Chakra: JIT: Type confusion with localeCompare - Google, Inc.
4 files changed · +2 −10
lib/Backend/Inline.cpp+0 −4 modified@@ -3418,10 +3418,6 @@ Inline::SetupInlineInstrForCallDirect(Js::BuiltinFunction builtInId, IR::Instr* callInstr->SetSrc1(IR::HelperCallOpnd::New(IR::JnHelperMethod::HelperString_Link, callInstr->m_func)); break; - case Js::BuiltinFunction::JavascriptString_LocaleCompare: - callInstr->SetSrc1(IR::HelperCallOpnd::New(IR::JnHelperMethod::HelperString_LocaleCompare, callInstr->m_func)); - break; - case Js::BuiltinFunction::JavascriptString_Match: callInstr->SetSrc1(IR::HelperCallOpnd::New(IR::JnHelperMethod::HelperString_Match, callInstr->m_func)); break;
lib/Backend/InliningDecider.cpp+0 −1 modified@@ -491,7 +491,6 @@ bool InliningDecider::GetBuiltInInfoCommon( case Js::JavascriptBuiltInFunction::JavascriptArray_Splice: case Js::JavascriptBuiltInFunction::JavascriptString_Link: - case Js::JavascriptBuiltInFunction::JavascriptString_LocaleCompare: goto CallDirectCommon; case Js::JavascriptBuiltInFunction::JavascriptArray_Join:
lib/Runtime/LibraryFunction.h+0 −1 modified@@ -28,7 +28,6 @@ LIBRARY_FUNCTION(JavascriptString, FromCodePoint, 1, BIF_None LIBRARY_FUNCTION(JavascriptString, IndexOf, 3, BIF_UseSrc0 | BIF_VariableArgsNumber , JavascriptString::EntryInfo::IndexOf) LIBRARY_FUNCTION(JavascriptString, LastIndexOf, 3, BIF_UseSrc0 | BIF_VariableArgsNumber , JavascriptString::EntryInfo::LastIndexOf) LIBRARY_FUNCTION(JavascriptString, Link, 2, BIF_UseSrc0 , JavascriptString::EntryInfo::Link) -LIBRARY_FUNCTION(JavascriptString, LocaleCompare, 2, BIF_UseSrc0 , JavascriptString::EntryInfo::LocaleCompare) LIBRARY_FUNCTION(JavascriptString, Match, 2, BIF_UseSrc0 | BIF_IgnoreDst , JavascriptString::EntryInfo::Match) LIBRARY_FUNCTION(JavascriptString, Replace, 3, BIF_UseSrc0 | BIF_IgnoreDst , JavascriptString::EntryInfo::Replace) LIBRARY_FUNCTION(JavascriptString, Search, 2, BIF_UseSrc0 , JavascriptString::EntryInfo::Search)
lib/Runtime/Library/JavascriptLibrary.cpp+2 −4 modified@@ -3277,9 +3277,6 @@ namespace Js case PropertyIds::link: return BuiltinFunction::JavascriptString_Link; - case PropertyIds::localeCompare: - return BuiltinFunction::JavascriptString_LocaleCompare; - case PropertyIds::match: return BuiltinFunction::JavascriptString_Match; @@ -3842,7 +3839,8 @@ namespace Js builtinFuncs[BuiltinFunction::JavascriptString_CharAt] = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::charAt, &JavascriptString::EntryInfo::CharAt, 1); builtinFuncs[BuiltinFunction::JavascriptString_CharCodeAt] = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::charCodeAt, &JavascriptString::EntryInfo::CharCodeAt, 1); builtinFuncs[BuiltinFunction::JavascriptString_Concat] = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::concat, &JavascriptString::EntryInfo::Concat, 1); - builtinFuncs[BuiltinFunction::JavascriptString_LocaleCompare] = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::localeCompare, &JavascriptString::EntryInfo::LocaleCompare, 1); + // OS#17824730: Don't inline String.prototype.localeCompare because it immediately calls back into Intl.js, which can break implicitCallFlags + /* No inlining String_LocaleCompare */ library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::localeCompare, &JavascriptString::EntryInfo::LocaleCompare, 1); builtinFuncs[BuiltinFunction::JavascriptString_Match] = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::match, &JavascriptString::EntryInfo::Match, 1); builtinFuncs[BuiltinFunction::JavascriptString_Split] = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::split, &JavascriptString::EntryInfo::Split, 2); builtinFuncs[BuiltinFunction::JavascriptString_Substring] = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::substring, &JavascriptString::EntryInfo::Substring, 2);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- www.exploit-db.com/exploits/45432/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-h8jq-5737-hpcfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8355ghsaADVISORY
- www.securityfocus.com/bid/104978mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041457mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/cf3ef506236da5b7651f4785966ab3131a4aa083ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5596ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8355ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210614055406/http://www.securityfocus.com/bid/104978ghsaWEB
- web.archive.org/web/20211203061111/http://www.securitytracker.com/id/1041457ghsaWEB
- www.exploit-db.com/exploits/45432ghsaWEB
News mentions
0No linked articles in our index yet.