CVE-2018-8556
Description
A memory corruption vulnerability in Chakra scripting engine allows remote code execution via crafted web content in Microsoft Edge.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in Chakra scripting engine allows remote code execution via crafted web content in Microsoft Edge.
Vulnerability
A remote code execution vulnerability exists in the Chakra scripting engine's handling of objects in memory, leading to memory corruption. This affects Microsoft Edge on all supported Windows 10 builds and ChakraCore before the fix. The vulnerability is classified as a failure to handle exceptional conditions [1][2].
Exploitation
An attacker can host a specially crafted website or inject malicious content into a site. The target user must visit the site using Microsoft Edge. No authentication is required. The crafted content triggers a memory corruption error in the Chakra engine, allowing the attacker to execute arbitrary code in the context of the current user [2][4].
Impact
Successful exploitation grants the attacker the same user rights as the current user. The attacker can then install programs, view, change, or delete data, or create new accounts with full user rights. This can lead to complete compromise of the affected system [1][4].
Mitigation
Microsoft released a security update on November 13, 2018, as part of its monthly Patch Tuesday. Users should apply the update immediately. For ChakraCore, the fix is included in the November 2018 release; Microsoft continued to provide security updates for ChakraCore 1.11 until March 9, 2021. No workaround is available other than applying the patch [2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.3 | 1.11.3 |
Affected products
3- Range: ChakraCore
Patches
11 file changed · +1 −1
lib/Backend/GlobOptBailOut.cpp+1 −1 modified@@ -1306,7 +1306,7 @@ GlobOpt::MayNeedBailOnImplicitCall(IR::Instr const * instr, Value const * src1Va return !( baseValueType.IsString() || - (baseValueType.IsAnyArray() && baseValueType.GetObjectType() != ObjectType::ObjectWithArray) || + baseValueType.IsArray() || (instr->HasBailOutInfo() && instr->GetBailOutKindNoBits() == IR::BailOutOnIrregularLength) // guarantees no implicit calls ); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-fmv2-jv3p-6w47ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8556ghsaADVISORY
- www.securityfocus.com/bid/105779mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1042107mitrevdb-entryx_refsource_SECTRACK
- github.com/chakra-core/ChakraCore/commit/2781608a34eacc32f9262e2304a534648235be6bghsaWEB
- github.com/chakra-core/ChakraCore/pull/5827ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8556ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124213934/http://www.securityfocus.com/bid/105779ghsaWEB
- web.archive.org/web/20211126224439/http://www.securitytracker.com/id/1042107ghsaWEB
News mentions
0No linked articles in our index yet.