Login Sign Up

CVE-2018-18493

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in the Skia graphics library allows attackers to cause memory corruption through specially crafted 2D canvas operations. This affects Thunderbird, Firefox ESR, and Firefox browsers when using hardware acceleration, potentially leading to remote code execution. Users running affected versions are vulnerable to exploitation via malicious web content.

💻 Affected Systems

Products:
  • Mozilla Thunderbird
  • Mozilla Firefox ESR
  • Mozilla Firefox
Versions: Thunderbird < 60.4, Firefox ESR < 60.4, Firefox < 64
Operating Systems: All platforms supported by affected browsers
Default Config Vulnerable: ⚠️ Yes
Notes: Requires hardware acceleration enabled (default in most configurations).

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Enterprise Linux Desktop by Redhat

View all CVEs affecting Enterprise Linux Desktop →

Enterprise Linux Desktop by Redhat

View all CVEs affecting Enterprise Linux Desktop →

Enterprise Linux Server by Redhat

View all CVEs affecting Enterprise Linux Server →

Enterprise Linux Server by Redhat

View all CVEs affecting Enterprise Linux Server →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Eus by Redhat

View all CVEs affecting Enterprise Linux Server Eus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Workstation by Redhat

View all CVEs affecting Enterprise Linux Workstation →

Enterprise Linux Workstation by Redhat

View all CVEs affecting Enterprise Linux Workstation →

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or installation of persistent malware.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption that could be leveraged for further exploitation.

🟢

If Mitigated

No impact if patched versions are deployed or hardware acceleration is disabled.

🌐 Internet-Facing: HIGH - Exploitable via malicious web content without user interaction beyond visiting a compromised site.
🏢 Internal Only: MEDIUM - Requires user to visit malicious internal web pages or open crafted emails in Thunderbird.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires bypassing ASLR/DEP protections; no public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 60.4, Firefox ESR 60.4, Firefox 64

Vendor Advisory: https://access.redhat.com/errata/RHSA-2018:3831

Restart Required: Yes

Instructions:

1. Update Thunderbird to version 60.4 or later. 2. Update Firefox ESR to version 60.4 or later. 3. Update Firefox to version 64 or later. 4. Restart the browser after update.

🔧 Temporary Workarounds

Disable hardware acceleration

all

Prevents exploitation by disabling the vulnerable hardware-accelerated canvas feature.

In Firefox/Thunderbird: Settings → General → Performance → Uncheck 'Use recommended performance settings' → Uncheck 'Use hardware acceleration when available'

🧯 If You Can't Patch

  • Implement network filtering to block malicious web content using web proxies or firewalls.
  • Restrict browser usage to trusted websites only and disable JavaScript for untrusted sites.

🔍 How to Verify

Check if Vulnerable:

Check browser version: Thunderbird < 60.4, Firefox ESR < 60.4, or Firefox < 64 indicates vulnerability.

Check Version:

Firefox/Thunderbird: Help → About Firefox/Thunderbird

Verify Fix Applied:

Confirm browser version is Thunderbird ≥ 60.4, Firefox ESR ≥ 60.4, or Firefox ≥ 64.

📡 Detection & Monitoring

Log Indicators:

  • Browser crash logs referencing skia.dll/libskia.so, memory access violations, or segmentation faults

Network Indicators:

  • Unusual web traffic to sites hosting canvas-heavy content or known exploit kits

SIEM Query:

source="browser_logs" AND (event="crash" OR error="segmentation_fault") AND process="firefox" OR process="thunderbird"

📊 Metadata

CVE ID: CVE-2018-18493
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: February 28, 2019
Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-18493, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)