CVE-2018-8298

HIGH KEV

ChakraCore < 1.10.1 - Remote Code Execution via Memory Corruption

Title source: llm

Exploitation Summary

CVE-2018-8298 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 1 public exploit from researchers including Google Security Research.

AI-analyzed exploit summary This PoC exploits a type confusion vulnerability in Microsoft Edge's Intl.js by reinitializing the same object multiple times, leading to potential memory corruption. The issue arises due to missing initialization checks in the ICU versions of InitializeNumberFormat and InitializeDateTimeFormat.

Description

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · javascriptdoswindows

https://www.exploit-db.com/exploits/45217

View Code ZIP pw:eip

This PoC exploits a type confusion vulnerability in Microsoft Edge's Intl.js by reinitializing the same object multiple times, leading to potential memory corruption. The issue arises due to missing initialization checks in the ICU versions of InitializeNumberFormat and InitializeDateTimeFormat.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Edge 42.17672.1000.0 and Microsoft EdgeHTML 17.17672

No auth needed

Prerequisites: Access to a vulnerable version of Microsoft Edge

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8298

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8298

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/104639

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45217/

Scores

CVSS v3 7.5

EPSS 0.8937

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-03

VulnCheck KEV 2022-03-03

InTheWild.io 2022-03-03

ENISA EUVD EUVD-2022-5575

CWE

CWE-843

Status published

Products (2)

microsoft/chakracore < 1.10.1

nuget/Microsoft.ChakraCore 0 - 1.10.1NuGet

Published Jul 11, 2018

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026