cbcvebase.
CVE-2018-0860
published 2018-02-15

CVE-2018-0860: Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the…

PriorityP268high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
65.86%
99.2th percentile
Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0861, and CVE-2018-0866.

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationinternet_explorer
msrcchakracore
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/Microsoft/ChakraCore/releases/tag/v1.7.8
  • Look for JavaScript that defines a getter on Array.prototype using Object.prototype.valueOf, which is the core exploit primitive — this causes a JIT-optimized function to return a stack-allocated array object through an implicit call that should have been suppressed.
  • The exploit pattern involves a tight loop (≥0x10000 iterations) to JIT-compile a function that accesses a non-existent property on a local array, followed by triggering the getter post-optimization — monitor for high-iteration loops combined with Array.prototype getter manipulation in Edge/ChakraCore JS.
  • The vulnerability is triggered when ChakraCore's JIT engine calls a function marked HasNoSideEffect (e.g., Object.prototype.valueOf) even when DisableImplicitCall flag is set, leaking a stack-allocated object — detection should focus on valueOf being used as a getter on Array.prototype in Microsoft Edge.
  • ·The exploit is specific to Microsoft Edge (HTML-based) and ChakraCore's JIT compiler; the memory corruption only manifests after the target function has been JIT-compiled (requires sufficient warm-up iterations), so sandboxed or non-JIT execution paths are not affected.
  • ·Exploit status at time of patching was 'Publicly Disclosed: No; Exploited: No' but rated 'Exploitation More Likely' for the latest software release — prioritize patching accordingly.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.