cbcvebase.
CVE-2018-0835
published 2018-02-15

CVE-2018-0835: Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the…

PriorityP268high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
65.86%
99.2th percentile
Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866.

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationinternet_explorer
msrcchakracore
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://www.exploit-db.com/exploits/44079
  • Look for JavaScript exploiting Array.prototype.reverse combined with Array.prototype.sort to achieve type confusion on native float arrays in ChakraCore/Microsoft Edge JIT
  • Detect JavaScript that sets an array as a prototype inside an Array.prototype.sort compare function, then calls Array.prototype.reverse — this is the specific exploit primitive for CVE-2018-0835
  • Monitor for use of arr.__proto__ = null followed by delete arr[index] and arr2.reverse = Array.prototype.reverse in the same script context, which matches the PoC pattern
  • Flag scripts writing the magic double constant 2.3023e-320 into array slots — this is a type-confusion payload value used in the PoC to corrupt memory
  • ·Exploit is publicly available on Exploit-DB but Microsoft MSRC lists exploitation status as 'Publicly Disclosed: No; Exploited: No' at time of patch — assess exposure accordingly
  • ·Vulnerability is specific to Microsoft Edge (HTML-based) scripting engine handling of objects in memory; does not affect non-Edge browsers
  • ·The exploit technique relies on ChakraCore JIT inlining Array.prototype.reverse; patched in ChakraCore v1.7.8 and Windows cumulative updates KB4074592, KB4074588, KB4074596, KB4074591, KB4074590

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.