CVE-2018-8629
Description
Chakra scripting engine in Microsoft Edge and ChakraCore has a remote code execution vulnerability due to memory corruption from improper handling of loop range checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chakra scripting engine in Microsoft Edge and ChakraCore has a remote code execution vulnerability due to memory corruption from improper handling of loop range checks.
Vulnerability
A remote code execution vulnerability exists in the Chakra scripting engine as used in Microsoft Edge and ChakraCore, due to improper handling of objects in memory. The issue is a memory corruption vulnerability triggered by an integer overflow in a loop range check; the code emits an add instruction to increment the range but lacks an overflow bailout, leading to out-of-bounds access [3]. This affects all versions of Microsoft Edge on Windows 10, as well as ChakraCore prior to the December 2018 update [2][3].
Exploitation
An attacker would need to host a specially crafted website or inject malicious content into a website that the target user visits in Microsoft Edge. The user must then open the malicious website, triggering the Chakra engine to parse and execute the crafted JavaScript. The parsing process encounters the loop range check overflow, causing memory corruption that can be leveraged for arbitrary code execution. No additional authentication or local system access is required, as this is a remote, network-based vector [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. This can lead to full compromise of the affected system, including installation of programs, modification or deletion of data, and creation of new accounts with full user rights. The vulnerability is classified as a remote code execution (RCE) with high severity [1][2].
Mitigation
Microsoft released a security update for Microsoft Edge on December 11, 2018, as part of the December 2018 Patch Tuesday, which addresses this vulnerability. For ChakraCore, the fix was merged in pull request #5869 and is included in the December 2018 servicing update [3][4]. Users should apply the latest updates from Microsoft Update or update ChakraCore to the patched version. No workarounds are documented; the only mitigation is to install the official patch [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.ChakraCoreNuGet | < 1.11.4 | 1.11.4 |
Affected products
3- Range: ChakraCore
Patches
169a259c8c399CVE-2018-8629 OOB bug in Edge WIP
4 files changed · +19 −6
lib/Backend/FlowGraph.cpp+7 −1 modified@@ -5266,7 +5266,7 @@ BasicBlock::MergePredBlocksValueMaps(GlobOpt* globOpt) } if(symsRequiringCompensationToMergedValueInfoMap.Count() != 0) { - globOpt->InsertValueCompensation(pred, symsRequiringCompensationToMergedValueInfoMap); + globOpt->InsertValueCompensation(pred, &symsRequiringCompensationToMergedValueInfoMap); } } } NEXT_PREDECESSOR_EDGE_EDITING; @@ -5325,6 +5325,12 @@ BasicBlock::MergePredBlocksValueMaps(GlobOpt* globOpt) loop->liveFieldsOnEntry = JitAnew(globOpt->alloc, BVSparse<JitArenaAllocator>, globOpt->alloc); loop->liveFieldsOnEntry->Copy(this->globOptData.liveFields); + if (symsRequiringCompensationToMergedValueInfoMap.Count() != 0) + { + loop->symsRequiringCompensationToMergedValueInfoMap = JitAnew(globOpt->alloc, SymToValueInfoMap, globOpt->alloc); + loop->symsRequiringCompensationToMergedValueInfoMap->Copy(&symsRequiringCompensationToMergedValueInfoMap); + } + if(globOpt->DoBoundCheckHoist() && loop->inductionVariables) { globOpt->FinalizeInductionVariables(loop, &blockData);
lib/Backend/FlowGraph.h+3 −1 modified@@ -575,6 +575,7 @@ class Loop BVSparse<JitArenaAllocator> *lossyInt32SymsOnEntry; // see GlobOptData::liveLossyInt32Syms BVSparse<JitArenaAllocator> *float64SymsOnEntry; BVSparse<JitArenaAllocator> *liveFieldsOnEntry; + SymToValueInfoMap *symsRequiringCompensationToMergedValueInfoMap; BVSparse<JitArenaAllocator> *symsUsedBeforeDefined; // stack syms that are live in the landing pad, and used before they are defined in the loop BVSparse<JitArenaAllocator> *likelyIntSymsUsedBeforeDefined; // stack syms that are live in the landing pad with a likely-int value, and used before they are defined in the loop @@ -742,7 +743,8 @@ class Loop allFieldsKilled(false), isLeaf(true), isProcessed(false), - initialValueFieldMap(alloc) + initialValueFieldMap(alloc), + symsRequiringCompensationToMergedValueInfoMap(nullptr) { this->loopNumber = ++func->loopCount; }
lib/Backend/GlobOpt.cpp+8 −3 modified@@ -599,6 +599,11 @@ GlobOpt::OptBlock(BasicBlock *block) this->tempBv->And(liveOnBackEdge); this->ToFloat64(this->tempBv, block->loop->landingPad); + if (block->loop->symsRequiringCompensationToMergedValueInfoMap) + { + InsertValueCompensation(block, block->loop->symsRequiringCompensationToMergedValueInfoMap); + } + // Now that we're done with the liveFields within this loop, trim the set to those syms // that the backward pass told us were live out of the loop. // This assumes we have no further need of the liveFields within the loop. @@ -1151,10 +1156,10 @@ void GlobOpt::FieldPRE(Loop *loop) void GlobOpt::InsertValueCompensation( BasicBlock *const predecessor, - const SymToValueInfoMap &symsRequiringCompensationToMergedValueInfoMap) + const SymToValueInfoMap *symsRequiringCompensationToMergedValueInfoMap) { Assert(predecessor); - Assert(symsRequiringCompensationToMergedValueInfoMap.Count() != 0); + Assert(symsRequiringCompensationToMergedValueInfoMap->Count() != 0); IR::Instr *insertBeforeInstr = predecessor->GetLastInstr(); Func *const func = insertBeforeInstr->m_func; @@ -1193,7 +1198,7 @@ void GlobOpt::InsertValueCompensation( } }; JsUtil::List<DelayChangeValueInfo, ArenaAllocator> delayChangeValueInfo(alloc); - for(auto it = symsRequiringCompensationToMergedValueInfoMap.GetIterator(); it.IsValid(); it.MoveNext()) + for(auto it = symsRequiringCompensationToMergedValueInfoMap->GetIterator(); it.IsValid(); it.MoveNext()) { const auto &entry = it.Current(); Sym *const sym = entry.Key();
lib/Backend/GlobOpt.h+1 −1 modified@@ -737,7 +737,7 @@ class GlobOpt void PreLowerCanonicalize(IR::Instr *instr, Value **pSrc1Val, Value **pSrc2Val); void ProcessKills(IR::Instr *instr); void InsertCloneStrs(BasicBlock *toBlock, GlobOptBlockData *toData, GlobOptBlockData *fromData); - void InsertValueCompensation(BasicBlock *const predecessor, const SymToValueInfoMap &symsRequiringCompensationToMergedValueInfoMap); + void InsertValueCompensation(BasicBlock *const predecessor, const SymToValueInfoMap *symsRequiringCompensationToMergedValueInfoMap); IR::Instr * ToVarUses(IR::Instr *instr, IR::Opnd *opnd, bool isDst, Value *val); void ToVar(BVSparse<JitArenaAllocator> *bv, BasicBlock *block); IR::Instr * ToVar(IR::Instr *instr, IR::RegOpnd *regOpnd, BasicBlock *block, Value *val, bool needsUpdate);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-w9rv-wwxr-vc3qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8629ghsaADVISORY
- www.securityfocus.com/bid/106115mitrevdb-entryx_refsource_BID
- github.com/chakra-core/ChakraCore/commit/69a259c8c3993b23a9e33772fc5a5bfd22466bd5ghsaWEB
- github.com/chakra-core/ChakraCore/pull/5869ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8629ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124222857/http://www.securityfocus.com/bid/106115ghsaWEB
News mentions
0No linked articles in our index yet.