Miggo Logo
Miggo Vulnerability Database
CVE-2018-8555

CVE-2018-8555: ChakraCore RCE Vulnerability

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-8555
GHSA ID
GHSA-f3qw-7p9p-j87f
EPSS Score
0.89812%
CWE
CWE-787
Published
5/13/2022
Updated
10/6/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.11.31.11.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing handling of Array Concat operations in ChakraCore's JIT optimizer. The commit adds IR::HelperArray_Concat to two critical locations: 1) In CheckJsArrayKills, where array segment metadata is updated, and 2) In ProcessArrayValueKills, where live array tracking is cleared. Without these checks, the optimizer would fail to invalidate array buffer assumptions after concat operations, leading to type confusion and out-of-bounds writes when optimized code accesses arrays based on incorrect memory layout assumptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution vuln*r**ility *xists in t** w*y t**t t** ***kr* s*riptin* *n*in* **n*l*s o*j**ts in m*mory in Mi*roso*t ****, *k* "***kr* S*riptin* *n*in* M*mory *orruption Vuln*r**ility." T*is *****ts Mi*roso*t ****, ***kr**or*. T*is *V* I*

Reasoning

T** vuln*r**ility st*ms *rom missin* **n*lin* o* *rr*y *on**t op*r*tions in ***kr**or*'s JIT optimiz*r. T** *ommit ***s `IR::**lp*r*rr*y_*on**t` to two *riti**l lo**tions: *) In `****kJs*rr*yKills`, w**r* *rr*y s**m*nt m*t***t* is up**t**, *n* *) In