CVE-2018-8617
Description
Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via crafted web content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via crafted web content.
Vulnerability
A remote code execution vulnerability exists in the Chakra scripting engine when handling objects in memory in Microsoft Edge and ChakraCore, classified as a memory corruption issue [1][2]. The flaw was introduced due to insufficient handling of exceptional conditions during JIT compilation, specifically in the GlobOpt::ProcessFieldKills function where object header inlined type symbols were not properly killed under global optimization [3]. Affected versions include all Microsoft Edge versions on Windows 10 prior to the December 2018 security update, and ChakraCore releases before the fix [2].
Exploitation
An attacker must host a specially crafted website that triggers the memory corruption when viewed in Microsoft Edge, requiring no authentication or special privileges as the user only needs to visit the malicious page [1][2]. The vulnerability is remotely exploitable over the network without user interaction beyond browsing [2]. The exploit sequence involves JIT compilation of JavaScript code that triggers an integer overflow in loop range checks [4], leading to memory corruption via crafted array operations such as push, pop, shift, splice, or unshift [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the currently logged-in user [1]. This can lead to full system compromise including installation of programs, viewing, changing, or deleting data, and creation of accounts with full user rights [1]. The scope is limited to the user's privilege level, but combined with a separate elevation-of-privilege vulnerability could allow system-level access.
Mitigation
Microsoft released a security update on December 11, 2018, which patched the vulnerability via a servicing update for ChakraCore (commit c04787f16efe8564cd3acee7549854dc156419b2) [3][4]. Users should apply the December 2018 Patch Tuesday updates for Microsoft Edge on Windows 10 [1]. ChakraCore users should update to the version including this commit. No workarounds are available beyond applying the patch, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.3 | 1.11.3 |
Affected products
3- Range: ChakraCore
Patches
12 files changed · +25 −9
lib/Backend/GlobOpt.cpp+0 −6 modified@@ -2852,12 +2852,6 @@ GlobOpt::OptDst( { this->FinishOptPropOp(instr, opnd->AsPropertySymOpnd()); } - else if (instr->m_opcode == Js::OpCode::StElemI_A || - instr->m_opcode == Js::OpCode::StElemI_A_Strict || - instr->m_opcode == Js::OpCode::InitComputedProperty) - { - this->KillObjectHeaderInlinedTypeSyms(this->currentBlock, false); - } if (opnd->IsIndirOpnd() && !this->IsLoopPrePass()) {
lib/Backend/GlobOptFields.cpp+25 −3 modified@@ -328,10 +328,20 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo Assert(dstOpnd != nullptr); KillLiveFields(this->lengthEquivBv, bv); KillLiveElems(dstOpnd->AsIndirOpnd(), bv, inGlobOpt, instr->m_func); + if (inGlobOpt) + { + KillObjectHeaderInlinedTypeSyms(this->currentBlock, false); + } break; case Js::OpCode::InitComputedProperty: + case Js::OpCode::InitGetElemI: + case Js::OpCode::InitSetElemI: KillLiveElems(dstOpnd->AsIndirOpnd(), bv, inGlobOpt, instr->m_func); + if (inGlobOpt) + { + KillObjectHeaderInlinedTypeSyms(this->currentBlock, false); + } break; case Js::OpCode::DeleteElemI_A: @@ -394,6 +404,10 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo case Js::OpCode::InlineArrayPush: case Js::OpCode::InlineArrayPop: KillLiveFields(this->lengthEquivBv, bv); + if (inGlobOpt) + { + KillObjectHeaderInlinedTypeSyms(this->currentBlock, false); + } break; case Js::OpCode::InlineeStart: @@ -410,10 +424,18 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo fnHelper = instr->GetSrc1()->AsHelperCallOpnd()->m_fnHelper; // Kill length field for built-ins that can update it. - if(nullptr != this->lengthEquivBv && (fnHelper == IR::JnHelperMethod::HelperArray_Shift || fnHelper == IR::JnHelperMethod::HelperArray_Splice - || fnHelper == IR::JnHelperMethod::HelperArray_Unshift)) + if(fnHelper == IR::JnHelperMethod::HelperArray_Shift + || fnHelper == IR::JnHelperMethod::HelperArray_Splice + || fnHelper == IR::JnHelperMethod::HelperArray_Unshift) { - KillLiveFields(this->lengthEquivBv, bv); + if (nullptr != this->lengthEquivBv) + { + KillLiveFields(this->lengthEquivBv, bv); + } + if (inGlobOpt) + { + KillObjectHeaderInlinedTypeSyms(this->currentBlock, false); + } } if ((fnHelper == IR::JnHelperMethod::HelperRegExp_Exec)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.exploit-db.com/exploits/46202/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-p9qf-56xw-h2vjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8617ghsaADVISORY
- www.securityfocus.com/bid/106112mitrevdb-entryx_refsource_BID
- github.com/chakra-core/ChakraCore/commit/c04787f16efe8564cd3acee7549854dc156419b2ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5869ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8617ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124222843/http://www.securityfocus.com/bid/106112ghsaWEB
- www.exploit-db.com/exploits/46202ghsaWEB
News mentions
0No linked articles in our index yet.