cbcvebase.
CVE-2018-8467
published 2018-09-13

CVE-2018-8467: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting…

PriorityP268high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
69.02%
99.3th percentile
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8367, CVE-2018-8465, CVE-2018-8466.

Affected

25 ranges
VendorProductVersion rangeFixed in
microsoftchakracore<= 1.10.1
microsoftchakracore
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
microsoftmicrosoft_edge
msrcchakracore
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1803_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1803_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

versionchakra.dll 11.00.14393.447
otherMS.Edge.Chakra.JavascriptArray.TypeId.Memory.Corruption
  • The vulnerability is triggered when JavascriptNativeFloatArray::ConvertToVarArray() is called due to type confusion in the Chakra JIT compiler — a NativeFloatArray is treated as ObjectType::Object because the switch statement in GlobOpt::UpdateObjPtrValueType() handles Js::TypeIds_Array but not Js::TypeIds_NativeIntArray or Js::TypeIds_NativeFloatArray.
  • The type confusion bug triggers JavascriptNativeFloatArray::ConvertToVarArray(), which converts a JavascriptNativeFloatArray to JavascriptArray by overwriting the TypeId field via JIT-generated code, resulting in memory corruption when the TypeId field is accessed later.
  • The PoC pattern involves assigning a float value to arr[0], then assigning an object to arr2[0] via a method call, then assigning a small float (2.3023e-320) to arr[0] — monitor for JIT-compiled JavaScript exhibiting this array type coercion pattern in Microsoft Edge.
  • Exploitation relies on waiting for the Chakra JIT server to compile the opt() function before triggering the type confusion — a setTimeout delay (e.g. 100ms) is used in PoC to allow JIT compilation to complete before the vulnerable code path is hit.
  • ·Assembly analysis and memory addresses (e.g. 0xf010280) are specific to chakra.dll version 11.00.14393.447; offsets and behavior may differ across other versions of Microsoft Edge / ChakraCore.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.