VYPR
← All advisories
High severityNVD Advisory· Published Oct 10, 2018· Updated Aug 5, 2024

CVE-2018-8513

CVE-2018-8513

Description

Chakra scripting engine memory corruption in Microsoft Edge and ChakraCore allows remote code execution via crafted website.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Chakra scripting engine memory corruption in Microsoft Edge and ChakraCore allows remote code execution via crafted website.

Vulnerability

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, affecting versions on Windows 10 32-bit and x64-based systems, as well as ChakraCore [1][2]. This memory corruption issue, classified as a failure to handle exceptional conditions, can be triggered when processing specially crafted content [2]. The vulnerability is distinct from CVE-2018-8503, CVE-2018-8505, CVE-2018-8510, and CVE-2018-8511 [1].

Exploitation

An attacker can exploit this vulnerability by hosting a malicious website and persuading a user to visit it [1][4]. No authentication or special privileges are required. The user must only browse to the attacker-controlled site using Microsoft Edge or ChakraCore [2]. The attacker may also embed malicious content in other applications or documents that host the Edge WebView component [4].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user [1][4]. This can lead to full compromise of the affected system, including installation of programs, viewing, changing, or deleting data, and creation of new accounts with full user rights [1].

Mitigation

Microsoft released security updates on October 9, 2018, to address this vulnerability [4]. Users should apply the latest Microsoft Edge or Windows updates. For ChakraCore, Microsoft continued to provide security updates until March 9, 2021, after which the engine entered a community-supported phase [3]. No workarounds have been disclosed [2].

References
  1. NVD - CVE-2018-8513
  2. Microsoft Edge Chakra Scripting Engine CVE-2018-8513 Remote Memory Corruption Vulnerability
  3. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
  4. Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Conduct Cross-Site Scripting Attacks on the Target System

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.11.21.11.2

Affected products

3

Patches

1
8997c7017891

[CVE-2018-8513] Type confusion after converting accessor property to data

https://github.com/chakra-core/ChakraCorePaul LeathersSep 14, 2018via ghsa
commit
1 file changed · +3 0
  • lib/Runtime/Types/PathTypeHandler.cpp+3 0 modified
    @@ -1476,6 +1476,9 @@ namespace Js
                 if (!(attributes[descriptor->GetDataPropertyIndex<false>()] & ObjectSlotAttr_Accessor))
                 {
                     // Setter without a getter; this is a stale entry, so ignore it
+                    // Just consume the slot so no descriptor refers to it.
+                    Assert(i == newTypeHandler->nextPropertyIndex);
+                    ::Math::PostInc(newTypeHandler->nextPropertyIndex);
                     continue;
                 }
                 Assert(oldTypeHandler->GetSetterSlotIndex(descriptor->GetDataPropertyIndex<false>()) == newTypeHandler->nextPropertyIndex);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.