CVE-2018-18500 - Vulncode-DB

CVE-2018-18500 (NVD)

2019-02-05

A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65.

Products	Ubuntu_linux, Debian_linux, Firefox, Firefox_esr, Thunderbird, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation
Type	Use After Free (CWE-416)
First patch	- None (likely due to unavailable code)
Links	• http://www.securityfocus.com/bid/106781 • https://www.mozilla.org/security/advisories/mfsa2019-03/ • https://access.redhat.com/errata/RHSA-2019:0270 • https://www.debian.org/security/2019/dsa-4392 • https://www.mozilla.org/security/advisories/mfsa2019-01/ More/Less (11) • https://www.mozilla.org/security/advisories/mfsa2019-02/ • https://access.redhat.com/errata/RHSA-2019:0219 • https://security.gentoo.org/glsa/201904-07 • https://lists.debian.org/debian-lts-announce/2019/01/msg00025.html • https://access.redhat.com/errata/RHSA-2019:0269 • https://security.gentoo.org/glsa/201903-04 • https://usn.ubuntu.com/3874-1/ • https://usn.ubuntu.com/3897-1/ • https://access.redhat.com/errata/RHSA-2019:0218 • https://lists.debian.org/debian-lts-announce/2019/02/msg00024.html • https://www.debian.org/security/2019/dsa-4376