cbcvebase.
CVE-2018-8384
published 2018-08-15

CVE-2018-8384: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting…

PriorityP266high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
62.11%
99.1th percentile
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8380, CVE-2018-8381.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftchakracore<= 1.10.1
microsoftchakracore
msrcchakracore

Detection & IOCsextracted from sources · hover to see the quote

commandlet o = { get a() {}, 0: 0, // Deoptimizing object header inlining a: 0x1234 }; o.a; // Type confusion
  • Look for JavaScript patterns that combine a getter property with a numeric index property (e.g., `0: 0`) on the same object literal, followed by reassignment of the getter property — this is the deoptimization trigger for object header inlining in Chakra.
  • The vulnerability is triggered via `PathTypeHandlerBase::SetAttributesHelper` when object header inlining is deoptimized and `ObjectSlotAttr_Accessor` removal fails, causing a data value to be treated as an accessor — monitor for type confusion in ChakraCore's path type handler code path.
  • The exploit class is 'PathTypeHandlerBase::SetAttributesHelper Type Confusion' in Microsoft Edge's Chakra scripting engine — alert on exploitation attempts targeting ChakraCore versions prior to v1.10.2.
  • ·The vulnerability is rated 'Exploitation More Likely' for the latest software release by Microsoft, and has been publicly disclosed — prioritize patching ChakraCore to v1.10.2 or later.
  • ·The fix is a source-level commit to ChakraCore; the patched release is v1.10.2 — environments running ChakraCore (embedded in Microsoft Edge or standalone) below this version remain vulnerable.
  • ·The type confusion only triggers when object header inlining is deoptimized (e.g., by adding a numeric index property to the object literal), which is a specific code path — generic JS scanning may miss this pattern without targeted rules.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.