cbcvebase.
CVE-2018-0866
published 2018-02-15

CVE-2018-0866: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold…

PriorityP267high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
44.27%
98.6th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, and CVE-2018-0861.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationinternet_explorer
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9

Detection & IOCsextracted from sources · hover to see the quote

processjscript9!Js::RegexHelper::RegexReplaceT
commandString.prototype.replace.call(vars[1], RegExp(), f);
commandCollectGarbage();
  • The exploit triggers a Use-After-Free in jscript9.dll via String.prototype.replace with a RegExp callback that frees the underlying string buffer (vars[0] = 1) and forces garbage collection (CollectGarbage()) mid-replace, causing a crash at jscript9!Js::RegexHelper::RegexReplaceT+0x122e5d on a movzx read from freed memory.
  • The vulnerability is exploitable via a web-based attack where an attacker hosts a specially crafted website targeting Internet Explorer, or embeds an ActiveX control marked 'safe for initialization' in an Office document hosting the IE rendering engine.
  • The exploit pattern involves allocating a large string (1,000,000 chars), taking a substring, then calling String.prototype.replace with a RegExp and a callback that nullifies the original string and triggers GC — monitor for large string allocation followed by replace+GC patterns in jscript9 engine activity.
  • ·The exploit PoC (Exploit-DB 44153) targets Internet Explorer 11 on a 64-bit system (amd64); the crash address and register values are specific to that build and may differ across IE versions or patch levels.
  • ·Microsoft's advisory rates exploitation as 'More Likely' for both latest and older software releases, but marks the vulnerability as not yet publicly exploited at time of publication.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.