CVE-2018-0860: Out-of-bounds Write

May 13, 2022 (updated July 20, 2023)

Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka “Scripting Engine Memory Corruption Vulnerability”. This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0861, and CVE-2018-0866.

References

github.com/advisories/GHSA-v3xp-3wpq-rvhp
github.com/chakra-core/ChakraCore/commit/9dac38fa6a6273f4cd57234d3caf4c7033e527bc
nvd.nist.gov/vuln/detail/CVE-2018-0860
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0860
web.archive.org/web/20210124135855/http://www.securityfocus.com/bid/102883
web.archive.org/web/20210922050621/http://www.securitytracker.com/id/1040372
www.exploit-db.com/exploits/44076/

Code Behaviors & Features

Detect and mitigate CVE-2018-0860 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →