CVE-2019-6116

HIGH

Artifex Ghostscript < 9.26 - Remote Code Execution via Ephemeral Procedure System Operator Access

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-6116. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages unprotected ephemeral routines in Ghostscript's PostScript interpreter to achieve arbitrary command execution by manipulating the dictstack and triggering specific errors. It demonstrates a bypass of the `executeonly` and `odef` protections by exploiting unresolved names at runtime.

Description

In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow access to system operators, leading to remote code execution.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · textremotelinux
https://www.exploit-db.com/exploits/46242

This exploit leverages unprotected ephemeral routines in Ghostscript's PostScript interpreter to achieve arbitrary command execution by manipulating the dictstack and triggering specific errors. It demonstrates a bypass of the `executeonly` and `odef` protections by exploiting unresolved names at runtime.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Ghostscript 9.26 and earlier
No auth needed
Prerequisites: Access to a system with Ghostscript 9.26 or earlier installed · Ability to execute Ghostscript with a malicious PostScript file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (22)

Core 22
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0229
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106700
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3866-1/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46242/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/02/msg00016.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4372
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/project-zero/issues/detail?id=1729
Mailing List, Third Party Advisory x_refsource_confirm
http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00047.html
Mailing List, Third Party Advisory x_refsource_confirm
http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00048.html
Exploit, Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/01/23/5
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugs.ghostscript.com/show_bug.cgi?id=700317
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/03/21/1
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Apr/4
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0327
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202004-03

Scores

CVSS v3 7.8
EPSS 0.4390
EPSS Percentile 98.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published
Products (18)
artifex/ghostscript < 9.26
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
debian/debian_linux 8.0
debian/debian_linux 9.0
fedoraproject/fedora 28
fedoraproject/fedora 29
fedoraproject/fedora 30
... and 8 more
Published Mar 21, 2019
Tracked Since Feb 18, 2026