Miggo Logo
Miggo Vulnerability Database
CVE-2018-0934

CVE-2018-0934: ChakraCore RCE Vulnerability

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-0934
GHSA ID
GHSA-phcc-frh9-q545
EPSS Score
0.99319%
CWE
CWE-787
Published
5/13/2022
Updated
10/5/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.8.21.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of stack-to-heap transitions during JIT bailout. Key issues were:

  1. RestoreFrames/Restore functions passed 'deepCopy=false' during bailout, allowing stack-based arrays to be cached.
  2. BoxStackInstance's caching logic didn't differentiate between shallow/deep copies, enabling reuse of invalidated deep copies. The commit fixes these by:
  • Replacing 'deepCopy' with 'boxValues' in frame restoration
  • Avoiding caching when doing deep copies
  • Ensuring proper boxing during bailout paths These changes directly correlate to the CWE-787 (out-of-bounds write) described in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***kr**or* *n* Mi*roso*t Win*ows ** *ol*, ****, ****, ****, ****, *n* Win*ows S*rv*r **** *llows r*mot* *o** *x**ution, *u* to *ow t** ***kr* s*riptin* *n*in* **n*l*s o*j**ts in m*mory, *k* "***kr* S*riptin* *n*in* M*mory *orruption Vuln*r**ility". T

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* st**k-to-***p tr*nsitions *urin* JIT **ilout. K*y issu*s w*r*: *. R*stor**r*m*s/R*stor* *un*tions p*ss** '***p*opy=**ls*' *urin* **ilout, *llowin* st**k-**s** *rr*ys to ** ******. *. *oxSt**kInst*n**'