CVE-2018-12390

Q: How do I fix CVE-2018-12390?

1. Open the application. 2. Click the menu button. 3. Select Help > About Firefox/Thunderbird. 4. The application will check for updates and install them. 5. Restart the application when prompted.

Q: What is the severity of CVE-2018-12390?

CVE-2018-12390 has a CVSS score of 9.8 (CRITICAL). This is a critical memory corruption vulnerability in Mozilla Firefox, Firefox ESR, and Thunderbird that could allow attackers to execute arbitrary code on affected systems. The vulnerability affects all users running vulnerable versions of these applications. Successful exploitation could lead to complete system compromise.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This is a critical memory corruption vulnerability in Mozilla Firefox, Firefox ESR, and Thunderbird that could allow attackers to execute arbitrary code on affected systems. The vulnerability affects all users running vulnerable versions of these applications. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird

Versions: Firefox < 63, Firefox ESR < 60.3, Thunderbird < 60.3

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Browser/email client crash leading to denial of service, with potential for limited code execution in some scenarios.

🟢

If Mitigated

Application crash without code execution if memory corruption protections are enabled.

🌐 Internet-Facing: HIGH - Web browsers and email clients are directly exposed to internet content.

🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal websites or emails.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Memory corruption vulnerabilities require skilled exploitation but can be weaponized once understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 63, Firefox ESR 60.3, Thunderbird 60.3

Vendor Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/

Restart Required: Yes

Instructions:

1. Open the application. 2. Click the menu button. 3. Select Help > About Firefox/Thunderbird. 4. The application will check for updates and install them. 5. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to reduce attack surface while patching

about:config -> javascript.enabled = false

Use alternative browser

all

Switch to a non-vulnerable browser until patching is complete

🧯 If You Can't Patch

Network segmentation to restrict vulnerable systems from accessing untrusted content
Implement application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check Help > About Firefox/Thunderbird and verify version is below patched versions

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is Firefox 63+, Firefox ESR 60.3+, or Thunderbird 60.3+

📡 Detection & Monitoring

Log Indicators:

Application crash logs
Memory access violation errors
Unexpected process termination

Network Indicators:

Suspicious JavaScript payloads
Unusual outbound connections from browser processes

SIEM Query:

source="firefox.log" AND (event="crash" OR event="segfault")

📊 Metadata

CVE ID: CVE-2018-12390

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: February 28, 2019

Last Updated: November 25, 2025

🔗 References

http://www.securityfocus.com/bid/105718 Third Party Advisory,VDB Entry
http://www.securityfocus.com/bid/105769 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1041944 Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2018:3005 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3006 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3531 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3532 Third Party Advisory
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1487098%2C1487660%2C1490234%2C1496159%2C1443748%2C1496340%2C1483905%2C1493347%2C1488803%2C1498701%2C1498482%2C1442010%2C1495245%2C1483699%2C1469486%2C1484905%2C1490561%2C1492524%2C1481844 Issue Tracking,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00008.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201811-04 Third Party Advisory
https://security.gentoo.org/glsa/201811-13 Third Party Advisory
https://usn.ubuntu.com/3801-1/ Third Party Advisory
https://usn.ubuntu.com/3868-1/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4324 Third Party Advisory
https://www.debian.org/security/2018/dsa-4337 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2018-26/ Patch,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-27/ Patch,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-28/ Patch,Vendor Advisory
http://www.securityfocus.com/bid/105718 Third Party Advisory,VDB Entry
http://www.securityfocus.com/bid/105769 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1041944 Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2018:3005 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3006 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3531 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3532 Third Party Advisory
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1487098%2C1487660%2C1490234%2C1496159%2C1443748%2C1496340%2C1483905%2C1493347%2C1488803%2C1498701%2C1498482%2C1442010%2C1495245%2C1483699%2C1469486%2C1484905%2C1490561%2C1492524%2C1481844 Issue Tracking,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00008.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201811-04 Third Party Advisory
https://security.gentoo.org/glsa/201811-13 Third Party Advisory
https://usn.ubuntu.com/3801-1/ Third Party Advisory
https://usn.ubuntu.com/3868-1/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4324 Third Party Advisory
https://www.debian.org/security/2018/dsa-4337 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2018-26/ Patch,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-27/ Patch,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-28/ Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux Desktop by Redhat

Enterprise Linux Desktop by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Workstation by Redhat

Enterprise Linux Workstation by Redhat

Firefox by Mozilla

Firefox by Mozilla

Thunderbird by Mozilla

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable JavaScript

Use alternative browser

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities