VYPR
← All advisories
High severityNVD Advisory· Published Dec 12, 2018· Updated Aug 5, 2024

CVE-2018-8624

CVE-2018-8624

Description

Remote code execution in Chakra scripting engine due to JIT overflow in induction variable restoration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Remote code execution in Chakra scripting engine due to JIT overflow in induction variable restoration.

Vulnerability

A remote code execution vulnerability exists in the Chakra scripting engine used by Microsoft Edge and ChakraCore. The flaw occurs during JIT compilation when restoring induction variable values in a MemOp optimization, leading to memory corruption. Affected versions include Microsoft Edge on all Windows 10 editions and ChakraCore prior to the fix. [2][3]

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website and convincing a user to visit it via Microsoft Edge. No authentication or additional privileges are required. The crafted page triggers the memory corruption through the JIT overflow.

Impact

Successful exploitation allows remote code execution in the context of the current user. If the user has administrative privileges, the attacker can gain full control of the system.

Mitigation

Microsoft released a security update on December 11, 2018, as part of Edge updates. For ChakraCore, the fix is contained in commit 8264b9b. Users should ensure their software is updated to the latest versions. [4]

References
  1. NVD - CVE-2018-8624
  2. Microsoft Edge Chakra Scripting Engine CVE-2018-8624 Remote Memory Corruption Vulnerability
  3. CVE-2018-8624 Edge - Chakra JIT Overflow · chakra-core/ChakraCore@8264b9b

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.11.41.11.4

Affected products

3

Patches

1
8264b9bcdb08

CVE-2018-8624 Edge - Chakra JIT Overflow

https://github.com/chakra-core/ChakraCoreWyatt RichterNov 14, 2018via ghsa
commit
3 files changed · +13 1
  • lib/Backend/BackwardPass.cpp+9 1 modified
    @@ -8669,7 +8669,15 @@ BackwardPass::RestoreInductionVariableValuesAfterMemOp(Loop *loop)
 
         IR::Opnd *inductionVariableOpnd = IR::RegOpnd::New(sym, IRType::TyInt32, localFunc);
         IR::Opnd *sizeOpnd = globOpt->GenerateInductionVariableChangeForMemOp(loop, inductionVariableChangeInfo.unroll);
-        loop->landingPad->InsertAfter(IR::Instr::New(opCode, inductionVariableOpnd, inductionVariableOpnd, sizeOpnd, loop->GetFunc()));
+        IR::Instr* restoreInductionVarInstr = IR::Instr::New(opCode, inductionVariableOpnd, inductionVariableOpnd, sizeOpnd, loop->GetFunc());
+
+        // The IR that restores the induction variable's value is placed before the MemOp. Since this IR can
+        // bailout to the loop's landing pad, placing this IR before the MemOp avoids performing the MemOp,
+        // bailing out because of this IR, and then performing the effects of the loop again.
+        loop->landingPad->InsertInstrBefore(restoreInductionVarInstr, loop->memOpInfo->instr);
+
+        // If restoring an induction variable results in an overflow, bailout to the loop's landing pad.
+        restoreInductionVarInstr->ConvertToBailOutInstr(loop->bailOutInfo, IR::BailOutOnOverflow);
     };
 
     for (auto it = loop->memOpInfo->inductionVariableChangeInfoMap->GetIterator(); it.IsValid(); it.MoveNext())
  • lib/Backend/FlowGraph.h+1 0 modified
    @@ -694,6 +694,7 @@ class Loop
         // Temporary map to reuse existing startIndexOpnd while emitting
         // 0 = !increment & !alreadyChanged, 1 = !increment & alreadyChanged, 2 = increment & !alreadyChanged, 3 = increment & alreadyChanged
         IR::RegOpnd* startIndexOpndCache[4];
+        IR::Instr* instr;
     } MemOpInfo;
 
     bool doMemOp : 1;
  • lib/Backend/GlobOpt.cpp+3 0 modified
    @@ -16854,6 +16854,9 @@ GlobOpt::EmitMemop(Loop * loop, LoopCount *loopCount, const MemOpEmitData* emitD
     memopInstr->SetSrc2(sizeOpnd);
     insertBeforeInstr->InsertBefore(memopInstr);
 
+
+    loop->memOpInfo->instr = memopInstr;
+
 #if DBG_DUMP
     if (DO_MEMOP_TRACE())
     {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.