CVE-2018-8510
Description
Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via crafted web content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via crafted web content.
Vulnerability
A remote code execution vulnerability exists in the Chakra scripting engine used by Microsoft Edge and ChakraCore [1]. The flaw is a memory corruption issue when handling objects in memory [1]. Affected versions include Microsoft Edge on Windows 10 (all variants) and ChakraCore prior to the security update [2][3].
Exploitation
An attacker can host a specially crafted website or inject malicious content into a compromised site. When a user visits this site using Microsoft Edge, the memory corruption is triggered [4]. No authentication or user interaction beyond browsing is required; the vulnerability is remotely exploitable [2][4].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. If the user has elevated privileges, the attacker can gain full system control, install programs, view/change data, or create new accounts [1][4].
Mitigation
Microsoft released security updates in October 2018 Patch Tuesday [2][4]. Users should apply the latest updates for Edge and Windows. For ChakraCore, the latest security-fixed version should be used; note that support for ChakraCore 1.11 ended in March 2021 [3]. No workaround is available; patching is required.
- NVD - CVE-2018-8510
- Microsoft Edge Chakra Scripting Engine CVE-2018-8510 Remote Memory Corruption Vulnerability
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Conduct Cross-Site Scripting Attacks on the Target System
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.2 | 1.11.2 |
Affected products
3- Range: ChakraCore
Patches
19b36ce832c9a[CVE-2018-8510] Edge - missing BytecodeUses for IsIn optimization leads to type confusion
1 file changed · +4 −1
lib/Backend/GlobOptArrays.cpp+4 −1 modified@@ -320,7 +320,8 @@ void GlobOpt::ArraySrcOpt::CheckVirtualArrayBounds() { Assert(instr->m_opcode == Js::OpCode::InlineArrayPush || instr->m_opcode == Js::OpCode::InlineArrayPop || - instr->m_opcode == Js::OpCode::LdLen_A); + instr->m_opcode == Js::OpCode::LdLen_A || + instr->m_opcode == Js::OpCode::IsIn); } eliminatedLowerBoundCheck = true; @@ -1988,6 +1989,8 @@ void GlobOpt::ArraySrcOpt::Optimize() { TRACE_TESTTRACE_PHASE_INSTR(Js::Phase::BoundCheckEliminationPhase, instr, _u("Eliminating IsIn\n")); + globOpt->CaptureByteCodeSymUses(instr); + instr->m_opcode = Js::OpCode::Ld_A; IR::AddrOpnd * addrOpnd = IR::AddrOpnd::New(func->GetScriptContextInfo()->GetTrueAddr(), IR::AddrOpndKindDynamicVar, func, true);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-vjf9-8wqg-xc7rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8510ghsaADVISORY
- www.securityfocus.com/bid/105470mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041825mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/9b36ce832c9a81bb51e3b1a39067feadcd1e14d2ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5764ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8510ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124210906/http://www.securityfocus.com/bid/105470ghsaWEB
- web.archive.org/web/20210927074321/http://www.securitytracker.com/id/1041825ghsaWEB
News mentions
0No linked articles in our index yet.