cbcvebase.
CVE-2018-8355
published 2018-08-15

CVE-2018-8355: A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory…

PriorityP268high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
68.24%
99.2th percentile
A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge. This CVE ID is unique from CVE-2018-8353, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftchakracore<= 1.10.1
microsoftchakracore
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
msrcchakracore
msrcinternet_explorer_11
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

command'a'.localeCompare(s) with overridden toString triggering type confusion in Chakra JIT
  • The vulnerability is triggered via String.prototype.localeCompare inlining in Chakra JIT when the argument's toString method is overridden; monitor for JIT-compiled JavaScript that overrides toString on an object passed to localeCompare, especially in Microsoft Edge/IE contexts.
  • The exploit relies on partially optimizing localeCompare so that an unprofiled instruction triggers a bailout that clears ImplicitCallFlags; look for patterns where localeCompare is called in a hot loop followed by type-confused array element assignments (e.g., float to object).
  • CVE-2018-8355 affects the Microsoft Scripting Engine (Chakra) in Microsoft browsers; patch reference is ChakraCore v1.10.2 — systems running older ChakraCore versions are vulnerable.
  • Exploit status is 'Exploitation More Likely' for the latest software release; prioritize patching with KB4343885, KB4343909, KB4343897, KB4343892, KB4343887, KB4343900, KB4343205, KB4343898.
  • ·The type confusion only occurs when Intl is enabled in Chakra, because the C++ localeCompare calls the JavaScript version without updating ImplicitCallFlags only in that code path.
  • ·The exploit requires JIT profiling to be active; the attacker must prevent profiling of the inner conditional ('if (locales === undefined && options === undefined)') by throwing before it is reached, so detection logic should account for try/catch abuse around localeCompare calls.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.