Skip to main content

Windows CVE-2018-8174

HIGH
Out-of-bounds Write (CWE-787)
2018-05-09 secure@microsoft.com
Windows
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
Added to CISA KEV
Oct 28, 2025 - 14:13 cisa
CISA KEV
PoC Detected
Oct 28, 2025 - 14:13 vuln.today
Public exploit code
Patch released
Oct 28, 2025 - 14:13 nvd
Patch available
CVE Published
May 09, 2018 - 19:29 nvd
HIGH 7.5

DescriptionCVE.org

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

AnalysisAI

The Windows VBScript engine contains a remote code execution vulnerability in object handling that allows full system compromise through crafted web pages, exploited in the wild as a zero-day before the May 2018 patch.

Technical ContextAI

The CWE-787 out-of-bounds write in the VBScript engine (vbscript.dll) is triggered when processing crafted VBScript code that manipulates object references. The exploit uses use-after-free techniques to gain arbitrary read/write primitives, enabling full code execution. Delivered through IE or Office documents embedding VBScript.

Affected ProductsAI

Microsoft Windows 7 through Windows 10 Microsoft Windows Server 2008 through Server 2016 Internet Explorer (VBScript engine) Microsoft Office (via embedded VBScript)

RemediationAI

Apply Microsoft security update. Disable VBScript in IE via registry or Group Policy. Restrict IE to trusted sites only. Use modern browsers that don't support VBScript.

More from same product – last 7 days

CVE-2026-12440 CRITICAL
9.6 Jun 17

Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to po
CVE-2026-12437 HIGH
8.3 Jun 17

Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had comprom
CVE-2026-12449 HIGH
7.8 Jun 17

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-
CVE-2026-12461 MEDIUM
6.5 Jun 17

Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain pot
CVE-2026-12444 MEDIUM
5.5 Jun 17

Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain

Share

CVE-2018-8174 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy