CVE-2018-8503
Description
A memory corruption vulnerability in the Chakra scripting engine in Microsoft Edge allows remote code execution when a user visits a crafted webpage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in the Chakra scripting engine in Microsoft Edge allows remote code execution when a user visits a crafted webpage.
Vulnerability
The vulnerability is a memory corruption issue in the way the Chakra scripting engine handles objects in memory, classified as a failure to handle exceptional conditions [1][2]. It affects Microsoft Edge on various Windows 10 versions (32-bit, x64, ARM) and ChakraCore [1][2]. The bug is reachable when the engine processes specially crafted JavaScript content in a web page.
Exploitation
An attacker can exploit this vulnerability by hosting a malicious website or by injecting malicious content into a trusted site that the user visits [2]. No authentication or special privileges are required; the attacker only needs to convince the user to interact with the content (e.g., by clicking a link). The crafted content triggers the memory corruption when parsed by the Chakra scripting engine [4].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has administrative rights, the attacker can gain full control of the system, including installing programs, viewing/changing/deleting data, and creating new accounts [1][2]. The impact is remote code execution with the same privileges as the user.
Mitigation
Microsoft released a security update on October 9, 2018, as part of its monthly Patch Tuesday, which addresses this vulnerability for all affected Windows 10 versions and Microsoft Edge [4]. ChakraCore users should update to the corresponding patched version. No workarounds are available. The vulnerability is not known to be listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.2 | 1.11.2 |
Affected products
3- Range: ChakraCore
Patches
1062b4d9f4272[CVE-2018-8503] Edge - RCE :Type Confusion Bug For Edge Bounty Program - Qihoo 360
1 file changed · +0 −2
lib/Runtime/Library/JavascriptArray.cpp+0 −2 modified@@ -1499,13 +1499,11 @@ using namespace Js; bool isTaggedInt = TaggedInt::Is(item); bool isTaggedIntMissingValue = false; -#ifdef TARGET_64 if (isTaggedInt) { int32 iValue = TaggedInt::ToInt32(item); isTaggedIntMissingValue = Js::SparseArraySegment<int32>::IsMissingItem(&iValue); } -#endif if (isTaggedInt && !isTaggedIntMissingValue) { // This is taggedInt case and we verified that item is not missing value in AMD64.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-2589-r26x-mh8pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8503ghsaADVISORY
- www.securityfocus.com/bid/105464mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041825mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/062b4d9f42723ce7c2725f844cbf5431d52ca999ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5764ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8503ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210729123415/http://www.securityfocus.com/bid/105464ghsaWEB
- web.archive.org/web/20210927074321/http://www.securitytracker.com/id/1041825ghsaWEB
News mentions
0No linked articles in our index yet.