Miggo Logo
Miggo Vulnerability Database
CVE-2018-8380

CVE-2018-8380: ChakraCore remote code execution vulnerability

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-8380
GHSA ID
GHSA-rxg4-vw2v-rxm4
EPSS Score
0.89418%
CWE
CWE-787
Published
5/13/2022
Updated
8/28/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.10.21.10.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical changes to exception handling logic. The vulnerability (CWE-787) stems from improper tracking of exception frames. WalkAndClearInlineeFrameCallInfoOnException previously validated frames against tryCatchFrameAddr, which was incorrectly managed by TryCatchFrameAddrStack. The patch replaces tryCatchFrameAddr with tryHandlerAddrOfReturnAddr, fixing the OOB write by ensuring correct address validation during stack unwinding.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution vuln*r**ility *xists in t** w*y t**t t** ***kr* s*riptin* *n*in* **n*l*s o*j**ts in m*mory in Mi*roso*t ****, *k* "***kr* S*riptin* *n*in* M*mory *orruption Vuln*r**ility." T*is *****ts Mi*roso*t ****, ***kr**or*. T*is *V* I*

Reasoning

T** *ommit *i** s*ows *riti**l ***n**s to *x**ption **n*lin* lo*i*. T** vuln*r**ility (*W*-***) st*ms *rom improp*r tr**kin* o* *x**ption *r*m*s. `W*lk*n**l**rInlin***r*m***llIn*oOn*x**ption` pr*viously v*li**t** *r*m*s ***inst `try**t***r*m****r`, w