VYPR
← All advisories
High severityNVD Advisory· Published Nov 14, 2018· Updated Aug 5, 2024

CVE-2018-8542

CVE-2018-8542

Description

A remote code execution vulnerability exists in Chakra scripting engine due to a type confusion bug in the ValueType::MergeWithObject function, affecting Microsoft Edge and ChakraCore.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote code execution vulnerability exists in Chakra scripting engine due to a type confusion bug in the ValueType::MergeWithObject function, affecting Microsoft Edge and ChakraCore.

Vulnerability

A remote code execution vulnerability exists in the Chakra scripting engine used by Microsoft Edge and ChakraCore [1]. The issue stems from a type confusion in the ValueType::MergeWithObject function, where improper handling of array object types can lead to memory corruption [3]. This affects all versions of Microsoft Edge and ChakraCore prior to the fix committed on GitHub [3][4].

Exploitation

An attacker would need to host a specially crafted web page that, when visited using a vulnerable version of Microsoft Edge, triggers the type confusion condition [2]. The exploitation does not require authentication or any special privileges; it only requires user interaction (visiting a malicious site) [2]. The specific code path involves merging object types that include array types, leading to an inconsistent type state [3].

Impact

Successful exploitation allows an attacker to achieve remote code execution in the context of the current user [1]. This means the attacker could gain the same privileges as the logged-on user, potentially leading to installation of programs, viewing, changing, or deleting data, or creating new accounts with full user rights [1]. If the user is an administrator, the attacker could take complete control of the affected system [1].

Mitigation

The vulnerability was fixed by Microsoft in a security update released on November 13, 2018 [1]. For ChakraCore, the fix was included in commit 334471b [3]. Users should apply the latest security updates for Microsoft Edge or update to the latest version of ChakraCore [4]. ChakraCore 1.11 continued to receive security updates until March 9, 2021 [4]. No workarounds are listed in the references.

References
  1. NVD - CVE-2018-8542
  2. Microsoft ChakraCore Scripting Engine CVE-2018-8542 Remote Memory Corruption Vulnerability
  3. CVE-2018-8542 · chakra-core/ChakraCore@334471b
  4. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.11.31.11.3

Affected products

3

Patches

1
334471b7254c

CVE-2018-8542

https://github.com/chakra-core/ChakraCoreRajat DuaOct 23, 2018via ghsa
commit
1 file changed · +26 12
  • lib/Runtime/Language/ValueType.cpp+26 12 modified
    @@ -1055,6 +1055,10 @@ ValueType ValueType::MergeWithObject(const ValueType other) const
         {
             // Any two different specific object types (excludes UninitializedObject and Object, which don't indicate any
             // specific type of object) merge to Object since the resulting type is not guaranteed to indicate any specific type
+            if (IsArrayOrObjectWithArray() || other.IsArrayOrObjectWithArray())
+            {
+                return Verify(GetObject(ObjectType::Object).ToLikely());
+            }
             merged.SetObjectType(ObjectType::Object);
             return Verify(merged);
         }
@@ -1945,13 +1949,18 @@ void ValueType::RunUnitTests()
                 ));
 
             if(!(
-                    t0.IsObject() && t1.IsObject() &&                                                       // both are objects
+                    t0.IsObject() && t1.IsObject() &&                                                             // both are objects
                     (
-                        t0.GetObjectType() == ObjectType::UninitializedObject ||
-                        t1.GetObjectType() == ObjectType::UninitializedObject
-                    ) &&                                                                                    // one has an uninitialized object type
-                    (t0.GetObjectType() > ObjectType::Object || t1.GetObjectType() > ObjectType::Object)    // one has a specific object type
-                ))                                                                                          // then the resulting object type is not guaranteed
+                        (
+                            (
+                                t0.GetObjectType() == ObjectType::UninitializedObject ||
+                                t1.GetObjectType() == ObjectType::UninitializedObject
+                            ) &&                                                                                  // one has an uninitialized object type
+                            (t0.GetObjectType() > ObjectType::Object || t1.GetObjectType() > ObjectType::Object)  // one has a specific object type
+                        ) ||
+                        (t0.IsArrayOrObjectWithArray() || t1.IsArrayOrObjectWithArray()) // or one was an array or an object with array
+                    )
+                ))                                                                                                // then the resulting object type is not guaranteed
             {
                 Assert(m.IsNotInt() == (t0.IsNotInt() && t1.IsNotInt()));
             }
@@ -1990,13 +1999,18 @@ void ValueType::RunUnitTests()
             Assert(m.IsLikelyString() == (t0.IsLikelyString() && t1.IsLikelyString()));
 
             if(!(
-                    t0.IsObject() && t1.IsObject() &&                                                       // both are objects
+                    t0.IsObject() && t1.IsObject() &&                                                             // both are objects
                     (
-                        t0.GetObjectType() == ObjectType::UninitializedObject ||
-                        t1.GetObjectType() == ObjectType::UninitializedObject
-                    ) &&                                                                                    // one has an uninitialized object type
-                    (t0.GetObjectType() > ObjectType::Object || t1.GetObjectType() > ObjectType::Object)    // one has a specific object type
-                ))                                                                                          // then the resulting object type is not guaranteed
+                        (
+                            (
+                                t0.GetObjectType() == ObjectType::UninitializedObject ||
+                                t1.GetObjectType() == ObjectType::UninitializedObject
+                            ) &&                                                                                  // one has an uninitialized object type
+                            (t0.GetObjectType() > ObjectType::Object || t1.GetObjectType() > ObjectType::Object)  // one has a specific object type
+                        ) ||
+                        (t0.IsArrayOrObjectWithArray() || t1.IsArrayOrObjectWithArray()) // or one was an array or an object with array
+                    )
+                ))                                                                                                // then the resulting object type is not guaranteed
             {
                 Assert(m.IsObject() == (t0.IsObject() && t1.IsObject()));
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.