CVE-2023-36664

HIGH

Artifex Ghostscript <10.01.2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2023-36664. PoCs published by jakabakos, churamanib, jeanchpt.

AI-analyzed exploit summary This repository contains a Python script that exploits CVE-2023-36664, a command injection vulnerability in Ghostscript prior to version 10.01.2. The exploit generates or injects malicious payloads into PS or EPS files, which execute arbitrary commands when processed by vulnerable Ghostscript versions.

Description

Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).

Exploits (4)

nomisec WORKING POC 130 stars
by jakabakos · poc
https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection

This repository contains a Python script that exploits CVE-2023-36664, a command injection vulnerability in Ghostscript prior to version 10.01.2. The exploit generates or injects malicious payloads into PS or EPS files, which execute arbitrary commands when processed by vulnerable Ghostscript versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ghostscript versions prior to 10.01.2
No auth needed
Prerequisites: Vulnerable Ghostscript installation · Ability to deliver malicious PS/EPS file to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by churamanib · poc
https://github.com/churamanib/CVE-2023-36664-Ghostscript-command-injection

This repository contains a Python script that exploits CVE-2023-36664, a command injection vulnerability in Ghostscript prior to version 10.01.2. The exploit generates or injects malicious payloads into PS or EPS files, which execute arbitrary commands when processed by vulnerable Ghostscript versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ghostscript < 10.01.2
No auth needed
Prerequisites: Vulnerable Ghostscript installation · Ability to deliver malicious PS/EPS file to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by jeanchpt · poc
https://github.com/jeanchpt/CVE-2023-36664

This PoC exploits CVE-2023-36664 in Ghostscript by injecting a malicious payload into an EPS file, which triggers remote code execution when opened in LibreOffice Draw. The payload leverages Ghostscript's pipe device to execute arbitrary commands.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ghostscript (via LibreOffice Draw)
No auth needed
Prerequisites: A vulnerable version of Ghostscript · LibreOffice Draw to open the malicious EPS file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by winkler-winsen · poc
https://github.com/winkler-winsen/Scan_GhostScript

This PowerShell script scans for GhostScript files vulnerable to CVE-2023-36664 by checking file versions across local drives. It self-elevates to administrator privileges if required and lists affected files.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GhostScript (versions below 10.02.2)
No auth needed
Prerequisites: Local execution on a Windows system with PowerShell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Issue Tracking, Permissions Required
https://bugs.ghostscript.com/show_bug.cgi?id=706761
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5446
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202309-03

Scores

CVSS v3 7.8
EPSS 0.0321
EPSS Percentile 86.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-552
Status published
Products (5)
artifex/ghostscript < 10.01.2
debian/debian_linux 11.0
debian/debian_linux 12.0
fedoraproject/fedora 37
fedoraproject/fedora 38
Published Jun 25, 2023
Tracked Since Feb 18, 2026