VIR Vulnerability Intelligence Relay

CVE-2018-12386

critical
Published — · Modified —
CVSS v3
CVSS v2
VIR risk
9.5

Description

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2018-12386

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2018-12386.html

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-201810-6

OS impact
OSVersionStatusFixed in
arch archfixed62.0.3-1
suse slesaffected
debian debiansidfixed62.0.3-1
debian debianbookwormfixed60.2.2esr-1
debian debianbullseyefixed60.2.2esr-1
debian debianforkyfixed60.2.2esr-1
debian debiantrixiefixed60.2.2esr-1

References

Verify integrity in audit chain (admin only). AS-IS.