CVE-2018-8423
Description
A remote code execution vulnerability exists in the Microsoft JET Database Engine, aka "Microsoft JET Database Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in Microsoft JET Database Engine allows attackers to execute arbitrary code via a specially crafted data source, impacting all supported Windows versions, with incomplete official patches later re-patched.
Vulnerability
The vulnerability exists in the Microsoft JET Database Engine (msrd3x40.dll), affecting all supported Windows versions including Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, and Windows 10 Servers [1]. The bug is a memory corruption vulnerability triggered when the JET engine parses a specially crafted database file. The code path is reachable when a user (or an automated process such as a browser) opens a malicious data source, often via JavaScript or HTML that instantiates the JET engine to access a remote file. The engine is only supported in 32-bit applications, meaning 64-bit processes are not directly exploitable, but Internet Explorer on 64-bit Windows runs 32-bit rendering processes, making the attack viable through the browser [1].
Exploitation
An attacker must deliver a malicious data source file to the target. The most practical vector is via Internet Explorer: a crafted HTML page can use JET to access a data source file hosted on a remote share or local drive. On IE11, the security setting "Access data sources across domains" is disabled by default in Internet and Intranet zones, so the attack does not work from a remote website but does succeed when the malicious HTML and data source are loaded from a local drive (e.g., USB disk) or a shared folder [1]. Alternatively, an attacker can convince a user to run a malicious .js file using the 32-bit wscript.exe (found in c:\windows\SysWOW64\wscript.exe) on 64-bit systems [1]. The attacker does not require authentication or special privileges beyond getting the user to open the crafted file or HTML.
Impact
Successful exploitation results in arbitrary remote code execution in the context of the current user. An attacker can gain complete control over the affected system, including the ability to install programs, view/change/delete data, or create new accounts with full user rights. The impact is limited to the privileges of the logged-on user, but if that user has administrative rights, the attacker can take over the entire machine [1].
Mitigation
Microsoft released an official fix as part of the October 2018 Monthly Update on October 9, 2018, updating msrd3x40.dll from version 4.0.9801.0 to 4.0.9801.5 [2]. However, this patch was found to be incomplete, as the underlying vulnerability was not fully addressed. The 0patch team created a free micropatch within 24 hours of the vulnerability disclosure (September 21, 2018) and later re-micropatched over the flawed Microsoft patch to fully mitigate the issue [1][2]. Users should apply the latest official updates from Microsoft and consider using 0patch's micropatches as an additional layer of defense. No workaround other than avoiding the use of JET engine from untrusted data sources is available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- Range: 32-bit Systems
- Range: version 1709 (Server Core Installation)
- Range: 32-bit systems
- Range: Windows RT 8.1
32-bit Systems Service Pack 2+ 1 more
- (no CPE)range: 32-bit Systems Service Pack 2
- (no CPE)range: Itanium-Based Systems Service Pack 1
(Server Core installation)+ 1 more
- (no CPE)range: (Server Core installation)
- (no CPE)range: (Server Core installation)
- Range: (Server Core installation)
- Range: (Server Core installation)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds validation on an attacker-controlled index value from a malformed Jet database file allows out-of-bounds heap memory write."
Attack vector
An attacker provides a malformed Jet database data source file containing a crafted index value (e.g., 0x2300) that exceeds the valid array bounds of 0x80 elements [ref_id=1]. When a 32-bit application (such as Internet Explorer's rendering process, which is 32-bit even on 64-bit Windows) loads this malformed data source, the JET engine copies the attacker-controlled index from the file into memory and later uses it to write past the allocated heap buffer [ref_id=1]. The attack can be triggered by opening a malicious HTML file from a local drive (or USB disk) in Internet Explorer, though the user must press "Allow blocked content" [ref_id=1]. A more realistic vector could involve a malicious Office document referencing an external malformed Jet data source [ref_id=1].
Affected code
The vulnerability resides in the Microsoft JET Database Engine, specifically in the `msrd3x40.dll` binary (version 4.0.9801.0 on most Windows versions) [ref_id=1]. The crash occurs in function `TblPage::CreateIndexes` at an instruction that writes to an array indexed by a user-supplied value copied from the malformed data source file [ref_id=1]. The index value originates from the file at offset 1257h and is processed through function `Index::Restore` before being used as an array index [ref_id=1].
What the fix does
The micropatch inserts a bounds check immediately after the call to `Index::Restore`, comparing the user-supplied index value at `[esi+24h]` against the maximum valid index of 0x80 [ref_id=1]. If the index exceeds 0x80, the patch overwrites it with 0 (a safe value) and optionally displays an "Exploit Blocked" notification [ref_id=1]. Microsoft's official October 2018 update replaced `msrd3x40.dll` with version 4.0.9801.5, but this official fix was later found to be incomplete, prompting a second micropatch [ref_id=2]. The bounds-check approach prevents heap memory corruption by ensuring the attacker-supplied index never accesses memory beyond the fixed-size 0x778-byte object's array region [ref_id=1].
Preconditions
- configThe vulnerable application (e.g., Internet Explorer, wscript.exe) must be running in 32-bit mode, as Jet is only supported in 32-bit
- inputThe user must open a malicious file (e.g., .html from local drive, .js via 32-bit wscript.exe, or a crafted Office document) that triggers loading of a malformed Jet data source
- configFor Internet Explorer attack vector, the user must press 'Allow blocked content' button, and the 'Access data sources across domains' security setting must be enabled (disabled by default in Internet and Intranet zones)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.securitytracker.com/id/1041837mitrevdb-entryx_refsource_SECTRACK
- blog.0patch.com/2018/09/outrunning-attackers-on-jet-database.htmlmitrex_refsource_MISC
- blog.0patch.com/2018/10/patching-re-patching-and-meta-patching.htmlmitrex_refsource_MISC
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8423mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.