VYPR
← All advisories
High severityNVD Advisory· Published Nov 14, 2018· Updated Aug 5, 2024

CVE-2018-8543

CVE-2018-8543

Description

A remote code execution vulnerability in ChakraCore and Microsoft Edge allows an attacker to execute arbitrary code via a crafted web page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote code execution vulnerability in ChakraCore and Microsoft Edge allows an attacker to execute arbitrary code via a crafted web page.

Vulnerability

The vulnerability exists in the way the Chakra scripting engine handles objects in memory in Microsoft Edge and ChakraCore [1]. It is a memory corruption issue that can be triggered when processing specially crafted JavaScript content [1][2]. The affected versions include all supported releases of Microsoft Edge on Windows 10 and Windows Server 2019, as well as ChakraCore versions prior to the security update [2]. The issue resides in the scripting engine's object management, making it reachable when the user visits a malicious webpage or opens a crafted HTML document [1][4].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website or injecting malicious JavaScript into an existing site [1][4]. No authentication or special network position is required beyond the ability to serve web content to the target user [1]. The attacker must convince the user to visit the malicious page or open a crafted link, typically via social engineering [4]. Once the page is rendered, the Chakra engine processes the malicious code, leading to memory corruption and potentially arbitrary code execution [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user [1]. If the user has administrative privileges, the attacker can take complete control of the affected system, including installing programs, viewing or modifying data, and creating new accounts [1]. The impact is limited to the user's privilege level; full system compromise is possible if the user is an administrator [1][4].

Mitigation

Microsoft released a security update on November 13, 2018, as part of the November 2018 Patch Tuesday [4]. The fix addresses the memory corruption vulnerability in ChakraCore and Microsoft Edge [4]. Users should apply the update via Windows Update or direct download. For ChakraCore, the fix is included in version 1.11.9 [3]. No workarounds are documented, but disabling Edge or using an alternative browser may reduce risk until patching is complete [4].

References
  1. NVD - CVE-2018-8543
  2. Microsoft ChakraCore Scripting Engine CVE-2018-8543 Remote Memory Corruption Vulnerability
  3. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
  4. Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Conduct Cross-Site Scripting Attacks on the Target System

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.11.31.11.3

Affected products

3

Patches

1
ef75eace57c0

CVE-2018-8543

https://github.com/chakra-core/ChakraCoreSeth BrenithSep 28, 2018via ghsa
commit
2 files changed · +23 3
  • lib/Backend/Inline.cpp+4 0 modified
    @@ -5146,6 +5146,10 @@ Inline::MapFormals(Func *inlinee,
                 else
                 {
                     instr->SetSrc1(funcObjOpnd);
+
+                    // This usage doesn't correspond with any byte code register, since interpreter stack frames
+                    // get their function reference via this->function rather than from a register.
+                    instr->GetSrc1()->SetIsJITOptimizedReg(true);
                 }
             }
             else
  • lib/Backend/IRBuilder.cpp+19 3 modified
    @@ -3749,7 +3749,7 @@ IRBuilder::BuildElementSlotI1(Js::OpCode newOpcode, uint32 offset, Js::RegSlot r
 IR::Opnd*
 IRBuilder::GetEnvironmentOperand(uint32 offset)
 {
-    SymID symID;
+    StackSym* sym = nullptr;
     // The byte code doesn't refer directly to a closure environment. Get the implicit one
     // that's pointed to by the function body.
     if (m_func->DoStackFrameDisplay() && m_func->GetLocalFrameDisplaySym())
@@ -3760,19 +3760,35 @@ IRBuilder::GetEnvironmentOperand(uint32 offset)
         this->AddInstr(
             IR::Instr::New(Js::OpCode::LdSlotArr, regOpnd, fieldOpnd, m_func),
             offset);
-        symID = regOpnd->m_sym->m_id;
+        sym = regOpnd->m_sym;
     }
     else
     {
+        SymID symID;
         symID = this->GetEnvRegForInnerFrameDisplay();
         Assert(symID != Js::Constants::NoRegister);
         if (IsLoopBody() && !RegIsConstant(symID))
         {
             this->EnsureLoopBodyLoadSlot(symID);
         }
+
+        if (m_func->DoStackNestedFunc() && symID == GetEnvReg())
+        {
+            // Environment is not guaranteed constant during this function because it could become boxed during execution,
+            // so load the environment every time you need it.
+            IR::RegOpnd *regOpnd = IR::RegOpnd::New(TyVar, m_func);
+            this->AddInstr(
+                IR::Instr::New(Js::OpCode::LdEnv, regOpnd, m_func),
+                offset);
+            sym = regOpnd->m_sym;
+        }
+        else
+        {
+            sym = StackSym::FindOrCreate(symID, (Js::RegSlot)symID, m_func);
+        }
     }
 
-    return IR::RegOpnd::New(StackSym::FindOrCreate(symID, (Js::RegSlot)symID, m_func), TyVar, m_func);
+    return IR::RegOpnd::New(sym, TyVar, m_func);
 }
 
 template <typename SizePolicy>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.