CVE-2018-8276 — ChakraCore Security Bypass

Description

A security feature bypass vulnerability exists in the Microsoft Chakra scripting engine that allows Control Flow Guard (CFG) to be bypassed, aka "Scripting Engine Security Feature Bypass Vulnerability." This affects Microsoft Edge, ChakraCore.

How to fix CVE-2018-8276

To remediate CVE-2018-8276, upgrade the affected package to a fixed version below.

NuGet/Microsoft.ChakraCore—upgrade to 1.10.1 or later

Is CVE-2018-8276 being exploited?

Moderate — EPSS is 15.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.10.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-8276
PATCHgithub.com/chakra-core/ChakraCore
WEBgithub.com/chakra-core/ChakraCore/commit/4196f8097afdcc5fe01ce2966871712fb24003a3
WEBportal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8276