CVE-2018-8583
Description
A remote code execution vulnerability in Chakra scripting engine due to missing overflow bailout in loop count handling.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in Chakra scripting engine due to missing overflow bailout in loop count handling.
Vulnerability
The vulnerability is a memory corruption in the Chakra scripting engine's JIT compiler, specifically in the GlobOpt::GenerateLoopCountPlusOne function. The issue arises when incrementing a loop count: the Add_I4 instruction can overflow without a bailout check, leading to out-of-bounds memory access [1][4]. Affected: Microsoft Edge and ChakraCore prior to the December 2018 security update [1][2].
Exploitation
An attacker could host a specially crafted website that triggers the vulnerability through Microsoft Edge. No user interaction beyond browsing is required. The crafted JavaScript exploits the missing overflow bailout, causing the JIT compiler to generate code that accesses memory out of bounds [1][4].
Impact
Successful exploitation allows remote code execution in the context of the current user. An attacker could gain the same privileges as the user, potentially leading to installation of programs, data manipulation, or creation of new accounts [1][2].
Mitigation
Microsoft released a security update on December 11, 2018, patching the vulnerability [1][2]. For ChakraCore, the fix is in commit 8d21cde342a4e826d96eb4ac85241f876b879aed (Pull #5869) [3][4]. Users should apply the update through Windows Update or update ChakraCore. No workaround is provided.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.3 | 1.11.3 |
Affected products
3- Range: ChakraCore
Patches
18d21cde342a4CVE-2018-8583 Edge - Chakra JIT OOB 9 13 leads to RCE
1 file changed · +10 −5
lib/Backend/GlobOptIntBounds.cpp+10 −5 modified@@ -1822,11 +1822,16 @@ void GlobOpt::GenerateLoopCountPlusOne(Loop *const loop, LoopCount *const loopCo IR::RegOpnd *loopCountOpnd = IR::RegOpnd::New(type, func); IR::RegOpnd *minusOneOpnd = IR::RegOpnd::New(loopCount->LoopCountMinusOneSym(), type, func); minusOneOpnd->SetIsJITOptimizedReg(true); - insertBeforeInstr->InsertBefore(IR::Instr::New(Js::OpCode::Add_I4, - loopCountOpnd, - minusOneOpnd, - IR::IntConstOpnd::New(1, type, func, true), - func)); + IR::Instr* incrInstr = IR::Instr::New(Js::OpCode::Add_I4, + loopCountOpnd, + minusOneOpnd, + IR::IntConstOpnd::New(1, type, func, true), + func); + + insertBeforeInstr->InsertBefore(incrInstr); + + // Incrementing to 1 can overflow - add a bounds check bailout here + incrInstr->ConvertToBailOutInstr(bailOutInfo, IR::BailOutOnFailedHoistedLoopCountBasedBoundCheck); loopCount->SetLoopCountSym(loopCountOpnd->GetStackSym()); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-q4qj-2f5m-98gcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8583ghsaADVISORY
- www.securityfocus.com/bid/106111mitrevdb-entryx_refsource_BID
- github.com/chakra-core/ChakraCore/commit/8d21cde342a4e826d96eb4ac85241f876b879aedghsaWEB
- github.com/chakra-core/ChakraCore/pull/5869ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8583ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124222840/http://www.securityfocus.com/bid/106111ghsaWEB
News mentions
0No linked articles in our index yet.