cbcvebase.
CVE-2018-0840
published 2018-02-15

CVE-2018-0840: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Internet Explorer and…

PriorityP269high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
53.72%
98.9th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Internet Explorer and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866.

Affected

8 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationinternet_explorer
msrcchakracore
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

  • The exploit abuses the `typeof` operator to silently swallow exceptions thrown during implicit calls, preventing `ImplicitCallFlags` from being updated and bypassing JIT type-safety checks in Chakra/ChakraCore.
  • Exploit pattern: a typed float array is manipulated across a JIT-optimised function where an object with a throwing `toString` is used as an index via `typeof`, causing type confusion on `arr[0]` (float vs object). Monitor for JIT-compiled JS functions that combine typed array writes with `typeof(arr[index])` where the index object has a custom `toString` that throws.
  • The bypass relies on an exception being thrown inside an implicit call (e.g., a custom `toString`) so that `SetImplicitCallFlags` is never reached. Detection opportunity: monitor ChakraCore/Edge JIT paths where `ExecuteImplicitCall` exits via exception without updating the flags.
  • The vulnerability is in the scripting engine's handling of objects in memory in Microsoft browsers (Internet Explorer / Edge). Web-based delivery vector: attacker hosts a specially crafted website or embeds an ActiveX control marked 'safe for initialization'.
  • ·Exploit status at time of patch release was 'Publicly Disclosed: No; Exploited: No', but rated 'Exploitation More Likely' for the latest software release — treat as high-priority for patching and detection.
  • ·The PoC exploit code targets Microsoft Edge's Chakra JIT engine specifically via the ImplicitCallFlags bypass; the same class of bug may affect other Chakra-based hosts (e.g., Node.js builds using ChakraCore prior to v1.7.8).
  • ·The NVD source (DOC 1) describes CVE-2018-0857, not CVE-2018-0840 directly; CVE-2018-0840 is listed only as a related-but-distinct CVE in that entry. Operational details for CVE-2018-0840 are drawn from the MSRC advisory and the Exploit-DB PoC.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.