cbcvebase.
CVE-2018-0834
published 2018-02-15

CVE-2018-0834: Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the…

PriorityP266high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
55.56%
98.9th percentile
Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866.

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationinternet_explorer
msrcchakracore
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/Microsoft/ChakraCore/releases/tag/v1.7.8
  • The exploit triggers type confusion in ChakraCore's JIT compiler via InitProto instructions when a native float array is used as its own prototype. Monitor for JIT-compiled JavaScript that sets an object's __proto__ to a native array (e.g., `{__proto__: arr}` where arr is a float array), which causes the array to be silently converted from NativeFloat to Var type without invalidating JIT assumptions.
  • The exploit pattern involves a loop running ~10,000 iterations to trigger JIT compilation of a function, followed by a final call passing the array as its own prototype. Detect high-iteration loops in Edge/ChakraCore JS that pass a typed array as a prototype argument to an object literal.
  • The vulnerability is specific to Microsoft Edge (HTML-based) scripting engine handling of objects in memory. Web-based attack vector: attacker hosts a specially crafted website to exploit via Microsoft Edge and convinces user to visit, or leverages compromised sites hosting user-provided content/advertisements.
  • ·Exploit status at time of advisory: Publicly Disclosed=No, Exploited=No, but rated 'Exploitation More Likely' for latest software release. No in-the-wild exploitation confirmed at patch time.
  • ·The type confusion only triggers via object literal InitProto instructions in the JIT path; expressions using `obj.__proto__` directly do NOT use InitProto and are not affected by this specific code path.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.