cbcvebase.
CVE-2018-12293
published 2018-06-19

CVE-2018-12293: The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to…

PriorityP260high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
10.53%
95.2th percentile
The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.3 and WPE WebKit prior to version 2.20.1, is vulnerable to a heap-based buffer overflow triggered by an integer overflow, which could be abused by crafted HTML content.

Affected

6 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianwebkit2gtk< webkit2gtk 2.20.3-1 (bookworm)webkit2gtk 2.20.3-1 (bookworm)
webkitgtkwebkitgtk< 2.20.32.20.3
wpewebkitwpe_webkit< 2.20.12.20.1

Detection & IOCsextracted from sources · hover to see the quote

commandctx.getImageData(0, 0, 32768, 32768)
  • Monitor JavaScript canvas API calls to getImageData() with extremely large width/height values (e.g., 32768x32768) that would cause integer overflow in rect.width() * rect.height() * 4, triggering a heap-based buffer overflow in ImageBufferCairo::getImageData().
  • The vulnerable code path is in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp — specifically the Uint8ClampedArray::createUninitialized(rect.width() * rect.height() * 4) call, which overflows when large canvas dimensions are supplied via crafted HTML content.
  • UBSAN output indicating undefined behavior in libwebkit2gtk-4.0.so can be a runtime signal of exploitation attempts against this vulnerability.
  • ·The PoC targets WebKitGTK+ versions prior to 2.20.3 and WPE WebKit prior to 2.20.1; systems running patched versions (2.20.3-1 or later on Debian) are not vulnerable.
  • ·Exploitation requires the target page to include an HTML5 canvas element; the PoC itself notes the absence of a canvas tag as a prerequisite condition to observe the overflow.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.