CVE-2018-8381
Description
A memory corruption vulnerability in the Chakra scripting engine allows remote code execution via specially crafted web content in Microsoft Edge.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in the Chakra scripting engine allows remote code execution via specially crafted web content in Microsoft Edge.
Vulnerability
CVE-2018-8381 is a remote code execution vulnerability in the Chakra scripting engine that occurs due to improper handling of objects in memory. This affects Microsoft Edge and ChakraCore. The vulnerability is classified as a "Failure to Handle Exceptional Conditions" [3]. All versions of Microsoft Edge and ChakraCore prior to the August 2018 security updates are affected [4].
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website that, when viewed in Microsoft Edge, triggers memory corruption in the Chakra engine. No authentication is required; the attacker only needs to convince the user to visit the malicious site (e.g., via a link in an email or instant message). The vulnerability is remotely exploitable [3].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has administrative privileges, the attacker can gain full control of the system, including the ability to install programs, view/change/delete data, or create new accounts [2]. This results in complete compromise of confidentiality, integrity, and availability.
Mitigation
Microsoft released security updates on August 14, 2018, as part of its monthly Patch Tuesday to address this vulnerability [4]. Users should apply the updates through Windows Update or by installing the relevant security patch. For ChakraCore, updating to a version that includes the fix (e.g., v1.11.2 or later) is recommended [1]. No workarounds are available; patching is the only mitigation.
- Roadmap
- NVD - CVE-2018-8381
- Microsoft Edge Chakra Scripting Engine CVE-2018-8381 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Gain Elevated Privileges, and Bypass Security Restrictions on the Target System
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.10.2 | 1.10.2 |
Affected products
3- Range: ChakraCore
Patches
11b77d5594161[CVE-2018-8381] Edge - Child Case of type confusion with EntrySimpleObjectSlotGetter
1 file changed · +5 −0
lib/Runtime/Base/CrossSite.cpp+5 −0 modified@@ -99,6 +99,11 @@ namespace Js { MarshalDynamicObject(scriptContext, prototypeObject); } + if (JavascriptProxy::Is(prototypeObject)) + { + // Fetching prototype of proxy can invoke trap - which we don't want during the marshalling time. + break; + } prototype = prototypeObject->GetPrototype(); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-6gj2-5366-p95vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8381ghsaADVISORY
- www.securityfocus.com/bid/104980mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041457mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/1b77d559416116f9719febb7dee3354150277588ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5596ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8381ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124194906/http://www.securityfocus.com/bid/104980ghsaWEB
- web.archive.org/web/20211203061111/http://www.securitytracker.com/id/1041457ghsaWEB
News mentions
0No linked articles in our index yet.