CVE-2018-18073
Description
Ghostscript -dSAFER sandbox escape via leaked system operators in $error execution stack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ghostscript -dSAFER sandbox escape via leaked system operators in $error execution stack.
Vulnerability
Artifex Ghostscript versions including 9.07 on Red Hat Enterprise Linux 7 are vulnerable to a sandbox bypass. The vulnerability resides in the PostScript error handling mechanism: when an error occurs, the $error dictionary can contain references to parts of the execution stack, including executeonly routines. An attacker can craft a PostScript file that triggers an error and accesses the $error.estack to obtain references to system operators such as .forceput and .systemvar, which are normally restricted under -dSAFER [1][2][3].
Exploitation
An attacker needs to supply a specially crafted PostScript file to Ghostscript invoked with -dSAFER. The attack sequence involves placing code that causes a PostScript error (e.g., executing .setglobal on a null object), catching the error with stopped, then reading the $error dictionary's /estack entry to recover operator arrays. The leaked operators can then be used to run arbitrary system commands [2].
Impact
Successful exploitation allows an attacker to bypass the -dSAFER sandbox and execute arbitrary shell commands on the victim's system with the privileges of the Ghostscript process, leading to full compromise of confidentiality, integrity, and availability of files accessible to that user [2][3].
Mitigation
Red Hat released erratum RHSA-2018:3834 updating Ghostscript to version 9.07-31.el7_6.6 on RHEL 7 [1]. Users should apply the vendor-supplied patch. If patching is not immediately possible, avoid processing untrusted PostScript or PDF files with Ghostscript. No workaround is provided in the references [2][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
36- osv-coords35 versionspkg:rpm/opensuse/ghostscript&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ghostscript&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/libspectre&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/libspectre&distro=SUSE%20OpenStack%20Cloud%207
< 9.54.0-2.2+ 34 more
- (no CPE)range: < 9.54.0-2.2
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-3.9.4
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.8-3.4.3
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
9- access.redhat.com/errata/RHSA-2018:3834mitrevendor-advisoryx_refsource_REDHAT
- usn.ubuntu.com/3803-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2018/dsa-4336mitrevendor-advisoryx_refsource_DEBIAN
- git.ghostscript.commitrex_refsource_CONFIRM
- packetstormsecurity.com/files/149758/Ghostscript-Exposed-System-Operators.htmlmitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2018/10/10/12mitremailing-listx_refsource_MLIST
- bugs.chromium.org/p/project-zero/issues/detailmitrex_refsource_MISC
- bugs.ghostscript.com/show_bug.cgimitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2018/10/msg00013.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.