Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-15120Improper Restriction of Operations within the Bounds of a Memory Buffer in Pango

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-617Reachable Assertion10 documents9 sources
Severity
6.5MEDIUMNVD
EPSS
6.1%
top 9.23%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Gnome PangoCanonical Ubuntu Linux
Timeline
PublishedAug 24
Latest updateMay 13

Description

libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

NVDgnome/pango1.40.81.42.3

Also affects: Ubuntu Linux 18.04

Patches

Patch: github.comPatch: mail.gnome.orgPatch: www.exploit-db.com

🔴Vulnerability Details

3
GHSA
GHSA-6gmw-hfp8-7f52: libpango in Pango 12022-05-13
CVEList
CVE-2018-15120: libpango in Pango 12018-08-24
OSV
CVE-2018-15120: libpango in Pango 12018-08-24

💥Exploits & PoCs

1
Exploit-DB
Libpango 1.40.8 - Denial of Service (PoC)2018-08-27

📋Vendor Advisories

3
Ubuntu
Pango vulnerability2018-08-22
Red Hat
pango: application crash triggered by unicode chars in pango-emoji.c2018-08-20
Debian
CVE-2018-15120: pango1.0 - libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, ...2018

💬Community

2
Bugzilla
CVE-2018-15120 pango: application crash triggered by unicode chars in pango-emoji.c [fedora-all]2018-08-21
Bugzilla
CVE-2018-15120 pango: application crash triggered by unicode chars in pango-emoji.c2018-08-07
CVE-2018-15120 — Gnome Pango vulnerability | cvebase