CVE-2018-12361
HIGHThunderbird <60, Firefox ESR <60.1, Firefox <61 - Buffer Overflow
Title source: llmDescription
An integer overflow can occur in the SwizzleData code while calculating buffer sizes. The overflowed value is used for subsequent graphics computations when their inputs are not sanitized which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, and Firefox < 61.
References (11)
Core 11
Core References
Mitigation, Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201810-01
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-15/
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html
Mitigation, Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201811-13
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4295
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-16/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1041193
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-19/
Issue Tracking, Permissions Required x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1463244
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/104558
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3705-1/
Scores
CVSS v3
8.8
EPSS
0.0111
EPSS Percentile
78.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-190
Status
published
Products (9)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
17.10
canonical/ubuntu_linux
18.04
debian/debian_linux
8.0
debian/debian_linux
9.0
mozilla/firefox
< 61.0
mozilla/firefox_esr
< 60.1
mozilla/thunderbird
< 60.0
Published
Oct 18, 2018
Tracked Since
Feb 18, 2026