CVE-2018-12386

HIGH

Mozilla Firefox JavaScript Register Allocation - Type Confusion Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-12386. PoCs published by 0xLyte, Hydra3evil.

AI-analyzed exploit summary This is a functional exploit for CVE-2018-12386, a Firefox RCE vulnerability. It leverages a type confusion bug to achieve arbitrary memory read/write, leading to remote code execution in a sandboxed environment.

Description

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.

Exploits (2)

nomisec WORKING POC 2 stars
by 0xLyte · poc
https://github.com/0xLyte/cve-2018-12386

This is a functional exploit for CVE-2018-12386, a Firefox RCE vulnerability. It leverages a type confusion bug to achieve arbitrary memory read/write, leading to remote code execution in a sandboxed environment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Firefox < 62.0.3 and Firefox ESR < 60.2.2
No auth needed
Prerequisites: Specific Linux setup with known offsets · Firefox version prior to 62.0.3 or ESR 60.2.2 · Sandbox disabled for testing (MOZ_DISABLE_CONTENT_SANDBOX=1)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Hydra3evil · poc
https://github.com/Hydra3evil/cve-2018-12386

This repository contains a functional proof-of-concept exploit for CVE-2018-12386, a remote code execution vulnerability in Firefox versions prior to 62.0.3 and Firefox ESR 60.2.2. The exploit leverages a sandboxed RCE in Firefox on Linux, requiring specific offsets for the target environment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Firefox < 62.0.3, Firefox ESR < 60.2.2
No auth needed
Prerequisites: Firefox version prior to 62.0.3 or Firefox ESR prior to 60.2.2 · Linux environment with known offsets for libxul.so and libc.so.6 · Sandbox disabled (MOZ_DISABLE_CONTENT_SANDBOX=1)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201810-01
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105460
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3778-1/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4310
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2884
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041770
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1493900
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2018-24/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2881

Scores

CVSS v3 8.1
EPSS 0.1342
EPSS Percentile 95.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Details

CWE
CWE-704
Status published
Products (15)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
debian/debian_linux 9.0
mozilla/firefox < 60.2.2
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 6.0
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 7.6
... and 5 more
Published Oct 18, 2018
Tracked Since Feb 18, 2026