CVE-2018-8133

HIGH EXPLOITED IN THE WILD

Microsoft Edge and ChakraCore - Remote Code Execution via Type Confusion

Title source: llm

Exploitation Summary

CVE-2018-8133 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Google Security Research.

AI-analyzed exploit summary This exploit leverages a type confusion vulnerability in ChakraCore (CVE-2018-8133) by manipulating array types during JIT optimization, leading to arbitrary memory corruption. The PoC uses a Proxy object to trigger a side effect in the 'getPrototypeOf' handler, causing type confusion in the optimized code.

Description

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-0943, CVE-2018-8130, CVE-2018-8145, CVE-2018-8177.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · javascriptdoswindows

https://www.exploit-db.com/exploits/44817

View Code ZIP pw:eip

This exploit leverages a type confusion vulnerability in ChakraCore (CVE-2018-8133) by manipulating array types during JIT optimization, leading to arbitrary memory corruption. The PoC uses a Proxy object to trigger a side effect in the 'getPrototypeOf' handler, causing type confusion in the optimized code.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft ChakraCore (Edge/IE JavaScript engine)

No auth needed

Prerequisites: Victim must visit a malicious webpage · Browser using ChakraCore (e.g., Microsoft Edge or Internet Explorer)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/103982

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44817/

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8133

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1040844

Scores

CVSS v3 7.5

EPSS 0.6226

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-08-17

InTheWild.io 2021-08-17

CWE

CWE-843

Status published

Products (3)

microsoft/chakracore < 1.8.3

microsoft/edge

nuget/Microsoft.ChakraCore 0 - 1.8.4NuGet

Published May 09, 2018

Tracked Since Feb 18, 2026