High severityNVD Advisory· Published Dec 12, 2018· Updated Aug 5, 2024

CVE-2018-8618

Description

Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via crafted webpage.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via crafted webpage.

Vulnerability

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge and ChakraCore [1]. Specifically, an integer overflow in a loop range check can occur when performing bounds checking, leading to memory corruption [3]. This affects all versions of Microsoft Edge on Windows 10 and ChakraCore prior to commit 5db42187 [2][4].

Exploitation

An attacker can host a specially crafted website that, when visited by a user running an affected version of Microsoft Edge or ChakraCore, triggers the vulnerability [2]. No authentication or user interaction beyond visiting the page is required. The attacker must craft JavaScript that causes the integer overflow, resulting in memory corruption [3].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user within the Edge sandbox [1]. Depending on user privileges, this could lead to installation of programs, viewing or modifying data, or creating new accounts with full user rights [2].

Mitigation

Microsoft released security updates on December 11, 2018 for Microsoft Edge [1]. ChakraCore users should update to the latest build, which includes the fix in commit 5db42187 [4]. No workaround is available, but applying the patch mitigates the vulnerability.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.ChakraCoreNuGet	< 1.11.4	1.11.4

Affected products

ghsa-coords
pkg:nuget/microsoft.chakracore
Range: < 1.11.4
Microsoft/Chakracorecpe-rescue
Range: ChakraCore
Microsoft/Edgecpe-rescue
Range: Windows 10 Version 1607 for 32-bit Systems

Patches

5db42187c3fd

CVE-2018-8618 Edge - Report a type confusion bug

https://github.com/chakra-core/ChakraCoreMeghana GuptaNov 14, 2018via ghsa

commit

1 file changed · +4 −0

lib/Backend/GlobOpt.cpp+4 −0 modified

@@ -1840,6 +1840,10 @@ GlobOpt::IsAllowedForMemOpt(IR::Instr* instr, bool isMemset, IR::RegOpnd *baseOp
             return false;
         }
     }
+    else
+    {
+        return false;
+    }
 
     if (!baseValueType.IsTypedArray())
     {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5ggm-q98v-76hxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-8618ghsaADVISORY
www.securityfocus.com/bid/106113mitrevdb-entryx_refsource_BID
github.com/chakra-core/ChakraCore/commit/5db42187c3fd129c9574d61ceb7236d932bb69dcghsaWEB
github.com/chakra-core/ChakraCore/pull/5869ghsaWEB
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8618ghsax_refsource_CONFIRMWEB
web.archive.org/web/20210124222845/http://www.securityfocus.com/bid/106113ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.010
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000