VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-jhqn-7me5-47gm

Essentials
Severities (17)
References (60)
Severity details (6)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-jhqn-7me5-47gm
Aliases	CVE-2018-6126
Summary	A heap buffer overflow can occur in the Skia library when rasterizing paths using a maliciously crafted SVG file with anti-aliasing turned off. This results in a potentially exploitable crash.
Status	Published
Exploitability	2.0
Weighted Severity	9.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-787

Out-of-bounds Write

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-6126.json
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
epss	0.32892	https://api.first.org/data/v1/epss?cve=CVE-2018-6126
cvssv3	8.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2	6.8	https://nvd.nist.gov/vuln/detail/CVE-2018-6126
cvssv3	8.8	https://nvd.nist.gov/vuln/detail/CVE-2018-6126
archlinux	High	https://security.archlinux.org/AVG-715
generic_textual	critical	https://www.mozilla.org/en-US/security/advisories/mfsa2018-14

Reference id	Reference type	URL
		https://access.redhat.com/errata/RHSA-2018:1815
		https://access.redhat.com/errata/RHSA-2018:2112
		https://access.redhat.com/errata/RHSA-2018:2113
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-6126.json
		https://api.first.org/data/v1/epss?cve=CVE-2018-6126
		https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html
		https://crbug.com/844457
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6118
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6120
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6121
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6122
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6123
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6124
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6125
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6126
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6127
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6129
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6130
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6131
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6132
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6133
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6134
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6135
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6136
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6137
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6138
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6139
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6140
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6141
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6142
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6143
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6144
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6145
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6147
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6148
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6149
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://security.gentoo.org/glsa/201810-01
		https://www.debian.org/security/2018/dsa-4220
		https://www.debian.org/security/2018/dsa-4237
		https://www.exploit-db.com/exploits/45098/
		http://www.securityfocus.com/bid/104309
		http://www.securityfocus.com/bid/104411
		http://www.securitytracker.com/id/1041014
		http://www.securitytracker.com/id/1041046
1584035		https://bugzilla.redhat.com/show_bug.cgi?id=1584035
818180		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818180
ASA-201806-5		https://security.archlinux.org/ASA-201806-5
AVG-715		https://security.archlinux.org/AVG-715
cpe:2.3:a:google:chrome::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:google:chrome::::::::
cpe:2.3:o:debian:debian_linux:8.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:debian:debian_linux:9.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
CVE-2018-6126	Exploit	https://bugs.chromium.org/p/project-zero/issues/detail?id=1579
CVE-2018-6126	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/dos/45098.txt
CVE-2018-6126		https://nvd.nist.gov/vuln/detail/CVE-2018-6126
mfsa2018-14		https://www.mozilla.org/en-US/security/advisories/mfsa2018-14
USN-3682-1		https://usn.ubuntu.com/3682-1/

Data source	Exploit-DB
Date added	July 27, 2018
Description	Skia - Heap Overflow in SkScan::FillPath due to Precision Error
Ransomware campaign use	Known
Source publication date	July 27, 2018
Exploit type	dos
Platform	multiple
Source update date	July 27, 2018
Source URL	https://bugs.chromium.org/p/project-zero/issues/detail?id=1579

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-6126.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2018-6126

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-6126

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.96708
EPSS Score	0.32892
Published At	Aug. 5, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:09:51.336651+00:00	Mozilla Importer	Import	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2018/mfsa2018-14.yml	37.0.0