cbcvebase.
CVE-2018-0935
published 2018-03-14

CVE-2018-0935: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold…

PriorityP269high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
55.88%
98.9th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0876, CVE-2018-0889, CVE-2018-0893, and CVE-2018-0925.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationinternet_explorer
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9

Detection & IOCsextracted from sources · hover to see the quote

processjscript!JsArraySplice
processjscript!ConvertToObject
  • CVE-2018-0935 is a Use-After-Free vulnerability triggered via jscript Array methods (e.g., Array.splice) in Internet Explorer's jscript.dll scripting engine. Monitor for crashes or suspicious execution originating from jscript!JsArraySplice or jscript!ConvertToObject call chains within iexplore.exe or MSHTML-hosted processes.
  • Exploitation vector is web-based: attacker hosts a specially crafted website exploited through Internet Explorer, or embeds an ActiveX control marked 'safe for initialization' in an Office document hosting the IE rendering engine. Alert on IE navigating to untrusted sites or Office spawning MSHTML-based script execution.
  • Exploitation likelihood is rated 'More Likely' for both latest and older software releases per Microsoft. Prioritize detection and patching for systems running Internet Explorer on any supported Windows 10 or Windows Server 2016 build.
  • ·The exploit-db entry (44404) covers 'Multiple Use-After-Free Issues in jscript Array Methods' and is not exclusively tied to CVE-2018-0935; the same PoC call stack may be relevant to related CVEs (e.g., CVE-2018-0876, CVE-2018-0889, CVE-2018-0893, CVE-2018-0925). Validate which specific Array method path maps to CVE-2018-0935 before deploying detections.
  • ·Microsoft confirmed no in-the-wild exploitation at time of patch release (Exploited:No), though exploitation was rated 'More Likely'. Treat detection signals as high-priority but not confirmed active campaign indicators.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.