Miggo Logo
Miggo Vulnerability Database
CVE-2018-8390

CVE-2018-8390: ChakraCore RCE Vulnerability

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-8390
GHSA ID
GHSA-jgj7-hq9p-rqmg
EPSS Score
0.91018%
CWE
CWE-787
Published
5/13/2022
Updated
7/21/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.10.21.10.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit 63ae30a in the ChakraCore repository explicitly addresses CVE-2018-8390 by modifying a critical condition in NativeCodeGenerator::GatherCodeGenData. The vulnerability stemmed from improper handling of deferred function inlining in the JIT compiler, where a mismatch between fixed function objects and their execution context could lead to memory corruption. The code change directly correlates with the CWE-787 (Out-of-bounds Write) description and the advisory's focus on object memory handling flaws in the scripting engine.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution vuln*r**ility *xists in t** w*y t**t t** ***kr**or* s*riptin* *n*in* **n*l*s o*j**ts in m*mory, *k* "S*riptin* *n*in* M*mory *orruption Vuln*r**ility." T*is *****ts Mi*roso*t ****, ***kr**or*. T*is *V* I* is uniqu* *rom *V*-**

Reasoning

T** *ommit ******* in t** ***kr**or* r*pository *xpli*itly ***r*ss*s *V*-****-**** *y mo*i*yin* * *riti**l *on*ition in `N*tiv**o****n*r*tor::**t**r*o****n**t*`. T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* ****rr** `*un*tion` inlinin* in t**