CVE-2018-8555
Description
A remote code execution vulnerability in ChakraCore and Microsoft Edge's Chakra scripting engine due to memory corruption when handling objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in ChakraCore and Microsoft Edge's Chakra scripting engine due to memory corruption when handling objects.
Vulnerability
A remote code execution vulnerability exists in the way the Chakra scripting engine handles objects in memory in Microsoft Edge and ChakraCore. The vulnerability is classified as a memory corruption issue (CWE-119) [1][2]. Affected versions include all versions of Microsoft Edge on various Windows 10 platforms and ChakraCore before the security update released on November 13, 2018 [1][2][3]. The bug is triggered when specially crafted JavaScript content is processed by the engine [4].
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted website and enticing a user to visit it (typically via email or instant message) [4]. No authentication or special privileges are required on the target; the user only needs to load the malicious content in Microsoft Edge or an application embedding ChakraCore [4]. Successful exploitation causes the Chakra engine to corrupt memory in a way that allows arbitrary code execution [1][2].
Impact
Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the current user. If the user has administrative privileges, the attacker can take complete control of the system, install programs, view/change/delete data, or create new accounts with full user rights [4]. The impact is full compromise of confidentiality, integrity, and availability of the affected system.
Mitigation
Microsoft released a security update as part of the November 2018 Patch Tuesday (November 13, 2018) that addresses this vulnerability [4]. Users should apply the latest Windows Update to ensure the Chakra engine is patched. ChakraCore, being open source, also received the fix in its repository; users building from source should pull the latest commit [3]. No workarounds are available other than applying the patch. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update [1].
- NVD - CVE-2018-8555
- Microsoft ChakraCore Scripting Engine CVE-2018-8555 Remote Memory Corruption Vulnerability
- GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
- Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Conduct Cross-Site Scripting Attacks on the Target System
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.3 | 1.11.3 |
Affected products
3- Range: ChakraCore
Patches
12 files changed · +3 −0
lib/Backend/GlobOpt.cpp+2 −0 modified@@ -13375,6 +13375,7 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr) case IR::HelperArray_Shift: case IR::HelperArray_Splice: case IR::HelperArray_Unshift: + case IR::HelperArray_Concat: kills.SetKillsArrayHeadSegments(); kills.SetKillsArrayHeadSegmentLengths(); break; @@ -13404,6 +13405,7 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr) //case IR::HelperArray_Sort: case IR::HelperArray_Splice: case IR::HelperArray_Unshift: + case IR::HelperArray_Concat: kills.SetKillsNativeArrays(); break; }
lib/Backend/GlobOptExpr.cpp+1 −0 modified@@ -844,6 +844,7 @@ GlobOpt::ProcessArrayValueKills(IR::Instr *instr) case IR::HelperArray_Shift: case IR::HelperArray_Unshift: case IR::HelperArray_Splice: + case IR::HelperArray_Concat: this->currentBlock->globOptData.liveArrayValues->ClearAll(); break; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-f3qw-7p9p-j87fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8555ghsaADVISORY
- www.securityfocus.com/bid/105775mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1042107mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/8943e332ea5c8d7bf7d89301b30a1412e318ae97ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5827ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8555ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124213922/http://www.securityfocus.com/bid/105775ghsaWEB
- web.archive.org/web/20211126224439/http://www.securitytracker.com/id/1042107ghsaWEB
News mentions
0No linked articles in our index yet.