CVE-2018-8465
Description
A memory corruption vulnerability in ChakraCore/Microsoft Edge allows remote code execution via a crafted website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in ChakraCore/Microsoft Edge allows remote code execution via a crafted website.
Vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge [1]. This affects Microsoft Edge and ChakraCore [1]. The vulnerability is a memory corruption issue that occurs when the scripting engine improperly handles objects in memory [2]. Affected versions include Microsoft Edge on various Windows 10 builds and ChakraCore prior to security updates provided in September 2018 [2][4].
Exploitation
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user [1]. Exploitation requires that a user visit a specially crafted website using Microsoft Edge, or open a specially crafted file that invokes the vulnerable code path [2][3]. The attacker can host the website or inject the malicious content into a compromised site [3]. No authentication is required; the attacker only needs to convince the user to view the crafted content [2].
Impact
Successful exploitation allows remote code execution in the context of the current user [1]. The attacker can then install programs, view, change, or delete data, or create new accounts with full user rights [1]. The impact is limited to the privileges of the user running Edge; if the user has administrative rights, the attacker could take complete control of the affected system [2].
Mitigation
Microsoft released security updates on September 11, 2018, which addressed this vulnerability [3]. Users should apply the latest Windows and Edge updates [3]. ChakraCore users should update to the patched version [4]. No workaround is available beyond applying the patch [3].
- NVD - CVE-2018-8465
- Microsoft ChakraCore Scripting Engine CVE-2018-8465 Remote Memory Corruption Vulnerability
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Gain Elevated Privileges, and Spoof Content on the Target System
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.1 | 1.11.1 |
Affected products
3- Range: ChakraCore
Patches
17e235c914df5[CVE-2018-8465] Chakra - Invalid stack read leads to type confusion - Individual
2 files changed · +7 −1
lib/Backend/arm64/LowerMD.cpp+2 −1 modified@@ -1129,7 +1129,8 @@ ARM64StackLayout::ARM64StackLayout(Func* func) // the worst case assumption (homing all NUM_INT_ARG_REGS). this->m_hasCalls = func->GetHasCalls() || func->HasAnyStackNestedFunc() || - !LowererMD::IsSmallStack(this->TotalStackSize() + NUM_INT_ARG_REGS * MachRegInt); + !LowererMD::IsSmallStack(this->TotalStackSize() + NUM_INT_ARG_REGS * MachRegInt) || + Lowerer::IsArgSaveRequired(func); // Home the params. This is done to enable on-the-fly creation of the arguments object, // Dyno bailout code, etc. For non-global functions, that means homing all the param registers
lib/Backend/arm/LowerMD.cpp+5 −0 modified@@ -1108,6 +1108,11 @@ LowererMD::LowerEntryInstr(IR::EntryInstr * entryInstr) unwindInfo->SetHasCalls(true); } + if (Lowerer::IsArgSaveRequired(this->m_func)) + { + unwindInfo->SetHasCalls(true); + } + bool hasCalls = unwindInfo->GetHasCalls(); // Home the params. This is done to enable on-the-fly creation of the arguments object,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-mm5q-x9qg-x4vpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8465ghsaADVISORY
- www.securityfocus.com/bid/105242mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041623mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/7e235c914df50f4bb42efad55a7527350a7cc7aeghsaWEB
- github.com/chakra-core/ChakraCore/pull/5688ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8465ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210418114945/http://www.securityfocus.com/bid/105242ghsaWEB
- web.archive.org/web/20210517133345/http://www.securitytracker.com/id/1041623ghsaWEB
News mentions
0No linked articles in our index yet.