CVE-2018-0857 — ChakraCore RCE Vulnerability

Description

Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866.

How to fix CVE-2018-0857

To remediate CVE-2018-0857, upgrade the affected package to a fixed version below.

—upgrade to 1.8.1 or later

Is CVE-2018-0857 being exploited?

Moderate — EPSS is 28.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.8.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-0857
PATCHgithub.com/chakra-core/ChakraCore
WEBgithub.com/chakra-core/ChakraCore/commit/6f4265c3db2aad323bce617324190d021c11126f
WEBportal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0857