CVE-2018-12386

HIGH

JavaScript - RCE

Title source: llm

Description

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.

Exploits (2)

nomisec WORKING POC 2 stars

by 0xLyte · poc

https://github.com/0xLyte/cve-2018-12386

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by Hydra3evil · poc

https://github.com/Hydra3evil/cve-2018-12386

View Code ZIP pw:eip

References (9)

[Third Party Advisory] https://security.gentoo.org/glsa/201810-01

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/105460

[Third Party Advisory] https://usn.ubuntu.com/3778-1/

[Third Party Advisory] https://www.debian.org/security/2018/dsa-4310

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2884

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1041770

[Exploit, Issue Tracking, Patch, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1493900

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2018-24/

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2881

Scores

CVSS v3 8.1

EPSS 0.3910

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Details

CWE

CWE-704

Status published

Products (15)

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

debian/debian_linux 9.0

mozilla/firefox < 60.2.2

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_desktop 7.0

redhat/enterprise_linux_server 6.0

redhat/enterprise_linux_server 7.0

redhat/enterprise_linux_server_aus 7.6

... and 5 more

Published Oct 18, 2018

Tracked Since Feb 18, 2026