CVE-2018-8390
Description
A memory corruption vulnerability in ChakraCore allows remote attackers to execute arbitrary code on affected Microsoft Edge and ChakraCore systems.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in ChakraCore allows remote attackers to execute arbitrary code on affected Microsoft Edge and ChakraCore systems.
Vulnerability
A remote code execution vulnerability exists in the way the ChakraCore scripting engine handles objects in memory [1]. This memory corruption issue affects Microsoft Edge and ChakraCore [1]. The vulnerability is triggered when the scripting engine improperly handles objects in memory, leading to memory corruption [1]. This CVE is distinct from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, and CVE-2018-8389 [1]. The fix for this vulnerability is included in the August 2018 Security Update for ChakraCore [4].
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website (or by compromising a website that accepts user-generated content) and then convincing a user to view that website in Microsoft Edge [2][3]. The attacker must craft content that triggers the memory corruption when processed by the ChakraCore scripting engine, leading to code execution in the context of the current user [2][3]. No additional privileges beyond normal web browsing are required, and the vulnerability can be triggered without user interaction beyond visiting the malicious page [2][3].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the target system in the context of the current user [2][3]. If the current user is logged on with administrative user rights, the attacker could take control of the affected system, install programs, view, change, or delete data, or create new accounts with full user rights [2][3]. In a web-based attack scenario, the attacker would need to lure a user to visit the malicious website [3].
Mitigation
Microsoft released a security update for ChakraCore on August 14, 2018, which is included in the ChakraCore repository via pull request #5596 [4]. Users should apply the update to ChakraCore or ensure Microsoft Edge receives the associated security patch. As of the publication date, no workarounds other than applying the patch are available [2][3]. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- NVD - CVE-2018-8390
- Microsoft Edge CVE-2018-8390 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Gain Elevated Privileges, and Bypass Security Restrictions on the Target System
- August 2018 Security Update by aneeshdk · Pull Request #5596 · chakra-core/ChakraCore
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.10.2 | 1.10.2 |
Affected products
3- Range: ChakraCore
Patches
163ae30a750a4[CVE-2018-8390] Edge - Inlining a fixed deferred function can lead to OOB read/write - Internal
1 file changed · +1 −1
lib/Backend/NativeCodeGenerator.cpp+1 −1 modified@@ -2848,7 +2848,7 @@ NativeCodeGenerator::GatherCodeGenData( inlineCache->TryGetFixedMethodFromCache(functionBody, ldFldInlineCacheIndex, &fixedFunctionObject); } - if (fixedFunctionObject && !fixedFunctionObject->GetFunctionInfo()->IsDeferred() && fixedFunctionObject->GetFunctionBody() != inlineeFunctionBody) + if (fixedFunctionObject && fixedFunctionObject->GetFunctionInfo() != inlineeFunctionBody->GetFunctionInfo()) { fixedFunctionObject = nullptr; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-jgj7-hq9p-rqmgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8390ghsaADVISORY
- www.securityfocus.com/bid/105041mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041457mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/63ae30a750a4a0b2a2eb61a35dd3d2fc10104a90ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5596ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8390ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210614054332/http://www.securityfocus.com/bid/105041ghsaWEB
- web.archive.org/web/20211203061111/http://www.securitytracker.com/id/1041457ghsaWEB
News mentions
0No linked articles in our index yet.