CVE-2018-8384
published 2018-08-15CVE-2018-8384: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting…
PriorityP266high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
62.11%
99.1th percentile
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8380, CVE-2018-8381.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | chakracore | <= 1.10.1 | — |
| microsoft | chakracore | — | — |
| msrc | chakracore | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandlet o = {
get a() {},
0: 0, // Deoptimizing object header inlining
a: 0x1234
};
o.a; // Type confusion↗
- →Look for JavaScript patterns that combine a getter property with a numeric index property (e.g., `0: 0`) on the same object literal, followed by reassignment of the getter property — this is the deoptimization trigger for object header inlining in Chakra. ↗
- →The vulnerability is triggered via `PathTypeHandlerBase::SetAttributesHelper` when object header inlining is deoptimized and `ObjectSlotAttr_Accessor` removal fails, causing a data value to be treated as an accessor — monitor for type confusion in ChakraCore's path type handler code path. ↗
- →The exploit class is 'PathTypeHandlerBase::SetAttributesHelper Type Confusion' in Microsoft Edge's Chakra scripting engine — alert on exploitation attempts targeting ChakraCore versions prior to v1.10.2. ↗
- ·The vulnerability is rated 'Exploitation More Likely' for the latest software release by Microsoft, and has been publicly disclosed — prioritize patching ChakraCore to v1.10.2 or later. ↗
- ·The fix is a source-level commit to ChakraCore; the patched release is v1.10.2 — environments running ChakraCore (embedded in Microsoft Edge or standalone) below this version remain vulnerable. ↗
- ·The type confusion only triggers when object header inlining is deoptimized (e.g., by adding a numeric index property to the object literal), which is a specific code path — generic JS scanning may miss this pattern without targeted rules. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ChakraCore RCE Vulnerability
osv·2022-05-13·CVSS 7.5
CVE-2018-8381 [HIGH] ChakraCore RCE Vulnerability
ChakraCore RCE Vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8380, CVE-2018-8384.
GHSA
ChakraCore RCE Vulnerability
ghsa·2022-05-13·CVSS 7.5
CVE-2018-8381 [HIGH] CWE-787 ChakraCore RCE Vulnerability
ChakraCore RCE Vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8380, CVE-2018-8384.
OSV
ChakraCore RCE Vulnerability
osv·2022-05-13·CVSS 7.5
CVE-2018-8384 [HIGH] ChakraCore RCE Vulnerability
ChakraCore RCE Vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8380, CVE-2018-8381.
GHSA
ChakraCore remote code execution vulnerability
ghsa·2022-05-13·CVSS 7.5
CVE-2018-8380 [HIGH] CWE-787 ChakraCore remote code execution vulnerability
ChakraCore remote code execution vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8381, CVE-2018-8384.
OSV
ChakraCore RCE Vulnerability
osv·2022-05-13·CVSS 7.5
CVE-2018-8266 [HIGH] ChakraCore RCE Vulnerability
ChakraCore RCE Vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8380, CVE-2018-8381, CVE-2018-8384.
GHSA
ChakraCore RCE Vulnerability
ghsa·2022-05-13·CVSS 7.5
CVE-2018-8266 [HIGH] CWE-787 ChakraCore RCE Vulnerability
ChakraCore RCE Vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8380, CVE-2018-8381, CVE-2018-8384.
OSV
ChakraCore remote code execution vulnerability
osv·2022-05-13·CVSS 7.5
CVE-2018-8380 [HIGH] ChakraCore remote code execution vulnerability
ChakraCore remote code execution vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8381, CVE-2018-8384.
GHSA
ChakraCore RCE Vulnerability
ghsa·2022-05-13·CVSS 7.5
CVE-2018-8384 [HIGH] CWE-843 ChakraCore RCE Vulnerability
ChakraCore RCE Vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8380, CVE-2018-8381.
Microsoft
Scripting Engine Memory Corruption Vulnerability
vendor_msrc·2018-08-14·CVSS 4.2
CVE-2018-8384 [HIGH] Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The security update addresses the vulnerability by modifying how the ChakraCore scripting
No detection rules found.
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
[HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Ausnutzung von Schwachstellen
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits y vulnerabilidades
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could a
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
# August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro
2018/08/15
Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373, a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174, another VBscript engine vulnerability that was patched back in May. Successful exploitation of this vulnerability could allow a
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro Aug 15, 2018 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could al
Trendmicro
August Patch Tuesday: A Tale of Two Zero-Days
blogs_trendmicro·2018-08-15·CVSS 7.5
CVE-2018-8373 [HIGH] August Patch Tuesday: A Tale of Two Zero-Days
Exploits & Vulnerabilities
## August Patch Tuesday: A Tale of Two Zero-Days
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
By: Trend Micro 2018/08/15 Read time: ( words)
Save to Folio
This month’s Microsoft Patch Tuesday includes important updates that patch two zero-day vulnerabilities that are already being actively exploited.
The first of these zero day vulnerabilities is CVE-2018-8373 , a use-after-free (UAF) vulnerability in VBscript engine that Trend Micro researchers found in Internet Explorer. This vulnerability bears many similarities to CVE-2018-8174 , another VBscript engine vulnerability that was patched back in May . Successful exploitation of this vulnerability could allo
Talos
Microsoft Tuesday August 2018
blogs_talos·2018-08-14·CVSS 9.8
[CRITICAL] Microsoft Tuesday August 2018
## Microsoft Tuesday August 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.
In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.
## Critical Vulnerabilities
This month, Microsoft is addressing 20 vulnerabilities that a
Talos
Microsoft Tuesday August 2018
blogs_talos·2018-08-14·CVSS 9.8
[CRITICAL] Microsoft Tuesday August 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.
In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.
### Critical Vulnerabilities
This month, Microsoft is addressing 20 vulnerabilities that are rated "critical." Talos believ
http://www.securityfocus.com/bid/104981https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8384https://www.exploit-db.com/exploits/45431/http://www.securityfocus.com/bid/104981https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8384https://www.exploit-db.com/exploits/45431/
2018-08-15
Published