cbcvebase.
CVE-2018-0891
published 2018-03-14

CVE-2018-0891: ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and…

PriorityP335medium4.3CVSS 3.0
AVNACLPRNUIRSUCLINAN
EXPLOIT
EPSS
14.74%
96.3th percentile
ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Internet Explorer and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allow information disclosure, due to how the scripting engine handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2018-0939.

Affected

8 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
msrcchakracore
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger pattern: setting RegExp.input to an object with a custom toString that calls String.prototype.match, then reading RegExp.lastMatch — this is the PoC exploit pattern for the IE memory disclosure.
  • The vulnerability is triggered via the scripting engine's handling of RegExp.lastMatch in Internet Explorer; monitor for JavaScript leveraging RegExp.input with a custom toString callback combined with large string allocations (e.g., Array(10000000).join) as a heap-grooming/disclosure primitive.
  • Exploit delivery is web-based; attacker hosts or compromises a website to serve malicious JavaScript. Monitor for drive-by script patterns matching RegExp.lastMatch memory disclosure in IE/Edge browser telemetry.
  • CVE-2018-0891 is rated 'Exploitation More Likely' for both latest and older software releases — prioritize detection on Internet Explorer 11 and Microsoft Edge on all supported Windows versions.
  • ·PoC is not reliable — it may cause a crash instead of memory disclosure; exploit stability in weaponized versions may vary.
  • ·The vulnerability is distinct from CVE-2018-0939, which is a separate scripting engine information disclosure; ensure detection rules target the RegExp.lastMatch vector specifically.

CVSS provenance

nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM
vendor_msrc4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.