CVE-2018-8456
Description
A memory corruption vulnerability in ChakraCore scripting engine allows remote code execution in Microsoft Edge and ChakraCore when a user visits a crafted webpage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in ChakraCore scripting engine allows remote code execution in Microsoft Edge and ChakraCore when a user visits a crafted webpage.
Vulnerability
A remote code execution vulnerability exists in ChakraCore scripting engine's handling of objects in memory, leading to memory corruption [1][3]. Affected products include Microsoft Edge (on all supported Windows platforms) and the ChakraCore standalone engine. The flaw is classified as CWE-118 (Failure to Handle Exceptional Conditions) [2]. This CVE is distinct from CVE-2018-8354, CVE-2018-8391, CVE-2018-8457, and CVE-2018-8459 [1].
Exploitation
An attacker must craft a malicious webpage that triggers the memory corruption within the ChakraCore scripting engine when rendered by the target user's browser (e.g., Microsoft Edge) [2][3]. No authentication or local access is required; the victim only needs to visit the attacker-controlled site [2]. Successful exploitation involves corrupting the scripting engine's object memory through methods such as specially crafted JavaScript [3].
Impact
If the attacker successfully exploits the memory corruption, they can achieve remote code execution in the context of the current user [1][3]. This could allow the attacker to install programs, view/change/delete data, or create new accounts with full user rights [3]. The privilege level obtained is limited to the user's permissions, but on a standard system this often enables significant control.
Mitigation
Microsoft released security updates to address CVE-2018-8456 in September 2018 (e.g., via the Microsoft September 2018 Patch Tuesday). These updates should be applied to both Microsoft Edge and the ChakraCore libraries [3]. For ChakraCore standalone, users should upgrade to version 1.11 or later (ChakraCore's last security-update-supported version until March 2021) [4]. No workarounds other than applying the vendor-supplied patch are documented in these references, and the vulnerability is not listed on the CISA KEV as of October 2024.
- NVD - CVE-2018-8456
- Microsoft ChakraCore Scripting Engine CVE-2018-8456 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Gain Elevated Privileges, and Spoof Content on the Target System
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.1 | 1.11.1 |
Affected products
3- Range: ChakraCore
Patches
198360625854f[CVE-2018-8456] Edge - Chakra JIT Loop LandingPad ImplicitCall Bypass - Qihoo 360
1 file changed · +12 −2
lib/Backend/GlobOpt.cpp+12 −2 modified@@ -14500,13 +14500,23 @@ GlobOpt::OptHoistUpdateValueType( // Replace above will free srcOpnd, so reassign it *srcOpndPtr = srcOpnd = reinterpret_cast<IR::Opnd *>(strOpnd); - if (loop->bailOutInfo->bailOutInstr) + if (IsImplicitCallBailOutCurrentlyNeeded(convPrimStrInstr, opndValueInLandingPad, nullptr, landingPad, landingPad->globOptData.liveFields->IsEmpty(), true, true)) { + EnsureBailTarget(loop); loop->bailOutInfo->bailOutInstr->InsertBefore(convPrimStrInstr); + convPrimStrInstr = convPrimStrInstr->ConvertToBailOutInstr(convPrimStrInstr, IR::BailOutOnImplicitCallsPreOp, loop->bailOutInfo->bailOutOffset); + convPrimStrInstr->ReplaceBailOutInfo(loop->bailOutInfo); } else { - landingPad->InsertAfter(convPrimStrInstr); + if (loop->bailOutInfo->bailOutInstr) + { + loop->bailOutInfo->bailOutInstr->InsertBefore(convPrimStrInstr); + } + else + { + landingPad->InsertAfter(convPrimStrInstr); + } } // If we came here opndSym can't be PropertySym
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-6xmv-mx7q-789rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8456ghsaADVISORY
- www.securityfocus.com/bid/105227mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041623mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/98360625854f84262ce8de59a7f57496393281f3ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5688ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8456ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124202635/http://www.securityfocus.com/bid/105227ghsaWEB
- web.archive.org/web/20210517133345/http://www.securitytracker.com/id/1041623ghsaWEB
News mentions
0No linked articles in our index yet.