CVE-2018-1022Out-of-bounds Write in Microsoft Chakracore

CWE-787Out-of-bounds WriteCWE-1022Use of Web Link to Untrusted Target with window.opener AccessCWE-125Out-of-bounds Read12 documents6 sources
Severity
7.5HIGHNVD
EPSS
16.6%
top 5.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Microsoft ChakracoreMicrosoft Internet Explorer 11Microsoft Edge+1 more
Timeline
PublishedMay 9
Latest updateDec 29

Description

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge. This CVE ID is unique from CVE-2018-0945, CVE-2018-0946, CVE-2018-0951, CVE-2018-0953, CVE-2018-0954, CVE-2018-0955, CVE-2018-8114, CVE-2018-8122, CVE-2018-8128, CVE-2018-8137, CVE-2018-8139.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages5 packages

CVEListV5microsoft/internet_explorer_1118 versions+17
CVEListV5microsoft/chakracoreChakraCore
CVEListV5microsoft/microsoft_edge11 versions+10

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

9
GHSA
Twitter-Post-Fetcher vulnerable to Use of Web Link to Untrusted Target with window.opener Access2022-12-29
GHSA
ChakraCore RCE Vulnerability2022-05-13
OSV
ChakraCore RCE Vulnerability2022-05-13
GHSA
ChakraCore RCE Vulnerability2022-05-13
GHSA
ChakraCore RCE Vulnerability2022-05-13

📋Vendor Advisories

1
Microsoft
Scripting Engine Memory Corruption Vulnerability2018-05-08

💬Community

1
Bugzilla
CVE-2018-12544 vertx: API Validation XML Schemas do not forbid file system access2018-10-11
CVE-2018-1022 — Out-of-bounds Write in Microsoft | cvebase