VYPR
← All advisories
Critical severityNVD Advisory· Published Oct 10, 2018· Updated Aug 5, 2024

CVE-2018-8500

CVE-2018-8500

Description

A remote code execution vulnerability exists in ChakraCore scripting engine due to memory corruption during jit-compiled entry point cleanup.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote code execution vulnerability exists in ChakraCore scripting engine due to memory corruption during jit-compiled entry point cleanup.

Vulnerability

A remote code execution vulnerability exists in the way the ChakraCore scripting engine handles objects in memory [1]. The issue, identified as a memory corruption vulnerability, occurs after cleanup of JIT-compiled entry points [3]. The fix in commit cd84a0b adds an assertion that the functionType is not the undeferredFunctionType when adding a weak reference, and also ensures that undeferredFunctionType is mapped in the list of registered function object types [3]. This affects ChakraCore, with unknown specific versions before the security fix [1][2]. Microsoft ChakraCore is the open-source component of the Chakra engine [2].

Exploitation

An attacker could exploit this vulnerability remotely by convincing a user to visit a specially crafted webpage or by triggering the vulnerable code path through other means [1]. The vulnerability requires that the attacker be able to execute arbitrary JavaScript on the target system. The specific sequence of steps involves triggering the memory corruption after the cleanup of JIT-compiled entry points, as detailed in the commit [3]. The vulnerability was reported by Paul Leathers [4]. No authentication or special privileges are required for exploitation [1][4].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user [1]. This can lead to full remote code execution (RCE), enabling the attacker to compromise the affected system and gain the same privileges as the user running ChakraCore. The vulnerability affects the confidentiality, integrity, and availability (CIA) of the target [1].

Mitigation

Microsoft released a security update to address this vulnerability. The fix is included in ChakraCore 1.11.x security updates, and Microsoft will continue to provide security updates for ChakraCore 1.11 until March 9, 2021 [2]. After that date, no further official updates from Microsoft will be provided [2]. Users should apply the latest security patches from Microsoft or update to a version that includes the commit that addresses the issue [3]. No workarounds are documented in the available references.

References
  1. NVD - CVE-2018-8500
  2. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
  3. [CVE-2018-8500] RCE after cleanup of jitted entry points · chakra-core/ChakraCore@cd84a0b
  4. Microsoft ChakraCore Scripting Engine CVE-2018-8500 Remote Memory Corruption Vulnerability

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.11.21.11.2

Affected products

2

Patches

1
cd84a0b85b4b

[CVE-2018-8500] RCE after cleanup of jitted entry points

https://github.com/chakra-core/ChakraCorePaul LeathersSep 14, 2018via ghsa
commit
2 files changed · +5 3
  • lib/Runtime/Base/FunctionBody.cpp+1 1 modified
    @@ -2105,7 +2105,7 @@ namespace Js
     {
         FunctionTypeWeakRefList* typeList = EnsureFunctionObjectTypeList();
 
-        Assert(functionType != deferredPrototypeType);
+        Assert(functionType != deferredPrototypeType && functionType != undeferredFunctionType);
         Recycler * recycler = this->GetScriptContext()->GetRecycler();
         FunctionTypeWeakRef* weakRef = recycler->CreateWeakReferenceHandle(functionType);
         typeList->SetAtFirstFreeSpot(weakRef);
  • lib/Runtime/Base/FunctionBody.h+4 2 modified
    @@ -1088,8 +1088,10 @@ namespace Js
             {
                 func(this->deferredPrototypeType);
             }
-            // NOTE: We deliberately do not map the undeferredFunctionType here, since it's in the list
-            // of registered function object types we processed above.
+            if (this->undeferredFunctionType)
+            {
+                func(this->undeferredFunctionType);
+            }
         }
 
         static uint GetOffsetOfDeferredPrototypeType() { return static_cast<uint>(offsetof(Js::FunctionProxy, deferredPrototypeType)); }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.