Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-8617 — Out-of-bounds Write in Microsoft Chakracore

CWE-787 — Out-of-bounds Write CWE-617 — Reachable Assertion14 documents9 sources

Severity

7.5HIGHNVD

EPSS

90.6%

top 0.39%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Microsoft Chakracore Microsoft Edge

Timeline

PublishedDec 12

Latest updateMay 13

Description

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8618, CVE-2018-8624, CVE-2018-8629.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5microsoft/chakracoreChakraCore

▶CVEListV5microsoft/microsoft_edge17 versions+16

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

ChakraCore RCE Vulnerability↗2022-05-13

▶

OSV

ChakraCore RCE Vulnerability↗2022-05-13

▶

GHSA

ChakraCore RCE Vulnerability↗2022-05-13

▶

GHSA

ChakraCore RCE Vulnerability↗2022-05-13

▶

GHSA

ChakraCore Remote code execution Vulnerability↗2022-05-13

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Edge Chakra - 'InlineArrayPush' Type Confusion↗2019-01-18

▶

🔍Detection Rules

Suricata

ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M2 (CVE-2018-8617)↗2021-09-21

▶

Suricata

ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M1 (CVE-2018-8617)↗2021-08-25

▶

📋Vendor Advisories

Red Hat

bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c↗2020-05-19

▶

Microsoft

Chakra Scripting Engine Memory Corruption Vulnerability↗2018-12-11

▶