CVE-2018-0939 — Missing Release of Memory after Effective Lifetime in Microsoft Internet Explorer

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-787 — Out-of-bounds Write8 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

12.0%

top 6.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Internet Explorer Msrc Chakracore Msrc Microsoft Edge ON Windows 10 Version 1703 FOR 32-bit Systems +3 more

Timeline

PublishedMar 14

Latest updateMay 13

Description

ChakraCore and Microsoft Edge in Windows 10 1703 and 1709 allow information disclosure, due to how the scripting engine handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2018-0891.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

▶msrcmsrc/microsoft_edge_on_windows_10_version_1703_for_32-bit_systems

▶msrcmsrc/microsoft_edge_on_windows_10_version_1709_for_32-bit_systems

▶msrcmsrc/microsoft_edge_on_windows_10_version_1703_for_x64-based_systems

▶msrcmsrc/microsoft_edge_on_windows_10_version_1709_for_x64-based_systems

▶msrcmsrc/chakracore

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-qpvj-752h-7r4r: ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8↗2022-05-13

▶

OSV

ChakraCore information disclosure vulnerability↗2022-05-13

▶

GHSA

ChakraCore information disclosure vulnerability↗2022-05-13

▶

📋Vendor Advisories

Microsoft

Scripting Engine Memory Corruption Vulnerability↗2018-03-13

▶

🕵️Threat Intelligence

Talos

Microsoft Patch Tuesday - March 2018↗2018-03-13

▶

Talos

Microsoft Patch Tuesday - March 2018↗2018-03-13

▶