CVE-2018-0946 — ChakraCore RCE Vulnerability

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka "Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-0945, CVE-2018-0951, CVE-2018-0953, CVE-2018-0954, CVE-2018-0955, CVE-2018-1022, CVE-2018-8114, CVE-2018-8122, CVE-2018-8128, CVE-2018-8137, CVE-2018-8139.

How to fix CVE-2018-0946

To remediate CVE-2018-0946, upgrade the affected package to a fixed version below.

—upgrade to 1.8.4 or later

Is CVE-2018-0946 being exploited?

Likely — EPSS is 63.6%, placing CVE-2018-0946 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 1.8.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-0946
PATCHgithub.com/chakra-core/ChakraCore
WEBgithub.com/chakra-core/ChakraCore/commit/bee1e247bf6acbc8c862c7fc1d597ce9cab7446e
WEBportal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0946