CVE-2018-8551
Description
A remote code execution vulnerability in the Chakra scripting engine used by Microsoft Edge and ChakraCore allows attackers to execute arbitrary code via a specially crafted website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in the Chakra scripting engine used by Microsoft Edge and ChakraCore allows attackers to execute arbitrary code via a specially crafted website.
Vulnerability
The vulnerability exists in the Chakra scripting engine when handling objects in memory, leading to memory corruption. It affects Microsoft Edge and ChakraCore. The issue is classified as a remote code execution vulnerability [1][2].
Exploitation
An attacker can host a specially crafted website that, when viewed in Microsoft Edge, triggers the memory corruption. No authentication is required, and user interaction is limited to visiting the malicious site [1][4].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. This could lead to full compromise of the target system [1][4].
Mitigation
Microsoft has released a security update as part of the November 2018 Patch Tuesday. Users should apply the update to protect against this vulnerability [4]. For ChakraCore, Microsoft provided security updates for version 1.11 until March 2021, after which it is unsupported [3].
- NVD - CVE-2018-8551
- Microsoft ChakraCore Scripting Engine CVE-2018-8551 Remote Memory Corruption Vulnerability
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Conduct Cross-Site Scripting Attacks on the Target System
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.3 | 1.11.3 |
Affected products
3- Range: ChakraCore
Patches
14 files changed · +76 −4
lib/Parser/Scan.cpp+14 −3 modified@@ -193,20 +193,30 @@ void Scanner<EncodingPolicy>::PrepareForBackgroundParse(Js::ScriptContext *scrip // This is used to determine a length of BSTR, which can't contain a NUL character. //----------------------------------------------------------------------------- template <typename EncodingPolicy> -charcount_t Scanner<EncodingPolicy>::LineLength(EncodedCharPtr first, EncodedCharPtr last) +charcount_t Scanner<EncodingPolicy>::LineLength(EncodedCharPtr first, EncodedCharPtr last, size_t* cb) { + Assert(cb != nullptr); + charcount_t result = 0; EncodedCharPtr p = first; for (;;) { + EncodedCharPtr prev = p; switch( this->template ReadFull<false>(p, last) ) { case kchNWL: // _C_NWL case kchRET: case kchLS: case kchPS: case kchNUL: // _C_NUL + // p is now advanced past the line terminator character. + // We need to know the number of bytes making up the line, not including the line terminator character. + // To avoid subtracting a variable number of bytes because the line terminator characters are different + // number of bytes long (plus there may be multiple valid encodings for these characters) just keep + // track of the first byte of the line terminator character in prev. + Assert(prev >= first); + *cb = prev - first; return result; } result++; @@ -2313,10 +2323,11 @@ HRESULT Scanner<EncodingPolicy>::SysAllocErrorLine(int32 ichMinLine, __out BSTR* typename EncodingPolicy::EncodedCharPtr pStart = static_cast<size_t>(ichMinLine) == IchMinLine() ? m_pchMinLine : m_pchBase + this->CharacterOffsetToUnitOffset(m_pchBase, m_currentCharacter, m_pchLast, ichMinLine); // Determine the length by scanning for the next newline - charcount_t cch = LineLength(pStart, m_pchLast); + size_t cb = 0; + charcount_t cch = LineLength(pStart, m_pchLast, &cb); Assert(cch <= LONG_MAX); - typename EncodingPolicy::EncodedCharPtr pEnd = static_cast<size_t>(ichMinLine) == IchMinLine() ? m_pchMinLine + cch : m_pchBase + this->CharacterOffsetToUnitOffset(m_pchBase, m_currentCharacter, m_pchLast, cch); + typename EncodingPolicy::EncodedCharPtr pEnd = static_cast<size_t>(ichMinLine) == IchMinLine() ? m_pchMinLine + cb : m_pchBase + this->CharacterOffsetToUnitOffset(m_pchBase, m_currentCharacter, m_pchLast, cch); *pbstrLine = SysAllocStringLen(NULL, cch); if (!*pbstrLine)
lib/Parser/Scan.h+1 −1 modified@@ -780,7 +780,7 @@ class Scanner : public IScanner, public EncodingPolicy void ScanNewLine(uint ch); void NotifyScannedNewLine(); - charcount_t LineLength(EncodedCharPtr first, EncodedCharPtr last); + charcount_t LineLength(EncodedCharPtr first, EncodedCharPtr last, size_t* cb); tokens ScanIdentifier(bool identifyKwds, EncodedCharPtr *pp); BOOL FastIdentifierContinue(EncodedCharPtr&p, EncodedCharPtr last);
test/Bugs/bug_5585.js+55 −0 added@@ -0,0 +1,55 @@ +//------------------------------------------------------------------------------------------------------- +// Copyright (C) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information. +//------------------------------------------------------------------------------------------------------- + +WScript.LoadScriptFile("..\\UnitTestFramework\\UnitTestFramework.js"); + +let line = 't("摩"2)'; +let module_name = 'temp.js'; +WScript.RegisterModuleSource(module_name, line); + +var tests = [ + { + name: "Syntax error thrown parsing dynamic module", + body: function () { + let source = `import(module_name) + .then(v => { + assert.fail("Parsing this module should not succeed"); + }, e => { + assert.areEqual(line, e.source, "Source line causing compile error"); + }).catch(e => { + console.log('fail: ' + e); + throw e; + });` + + testRunner.LoadModule(source, 'samethread', true, false); + } + }, + { + name: "Syntax error thrown parsing module code", + body: function () { + try { + WScript.LoadScriptFile(module_name, 'module'); + assert.fail("Parsing this module should not succeed"); + } catch(e) { + assert.areEqual(line, e.source, "Source line causing compile error"); + } + } + }, + { + name: "Error line which contains multi-byte UTF-8 sequence which is an end-of-line character", + body: function () { + WScript.RegisterModuleSource('temp2.js', 't("\u2028"2)'); + + try { + WScript.LoadScriptFile('temp2.js', 'module'); + assert.fail("Parsing this module should not succeed"); + } catch(e) { + assert.areEqual('t("', e.source, "Source line causing compile error"); + } + } + } +]; + +testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });
test/Bugs/rlexe.xml+6 −0 modified@@ -530,4 +530,10 @@ <tags>exclude_jshost</tags> </default> </test> + <test> + <default> + <files>bug_5585.js</files> + <compile-flags>-esdynamicimport -mutehosterrormsg -args summary -endargs</compile-flags> + </default> + </test> </regress-exe>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-mjg2-326q-49f9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8551ghsaADVISORY
- www.securityfocus.com/bid/105773mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1042107mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/6199b5e19a61744f5d2357bbbaf1b50dd284c4a6ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5827ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8551ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210616130712/http://www.securityfocus.com/bid/105773ghsaWEB
- web.archive.org/web/20211126224439/http://www.securitytracker.com/id/1042107ghsaWEB
News mentions
0No linked articles in our index yet.