CVE-2018-19476
Description
Ghostscript before 9.26 has a type confusion in psi/zicc.c that allows remote attackers to bypass access restrictions via a crafted PostScript file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ghostscript before 9.26 has a type confusion in psi/zicc.c that allows remote attackers to bypass access restrictions via a crafted PostScript file.
Vulnerability
CVE-2018-19476 is a type confusion vulnerability in the setcolorspace operator within psi/zicc.c of Artifex Ghostscript versions before 9.26. An attacker can craft a PostScript or PDF file that triggers this type confusion, causing the interpreter to treat a color space object as another type, thereby bypassing the intended input validation and access controls. The flaw is reachable when Ghostscript processes untrusted input, such as during document conversion or thumbnail generation in applications that rely on Ghostscript [1][3].
Exploitation
Exploitation requires an attacker to supply a specially crafted PostScript or PDF file to a target using an affected version of Ghostscript. No special authentication or network position is needed beyond the ability to deliver the file (e.g., via email, web upload, or system print queue). The type confusion in the setcolorspace function allows the attacker to escape the normal execution sandbox and execute arbitrary operations [1][4]. The vulnerability can be triggered without any explicit user interaction other than Ghostscript processing the malicious document [3].
Impact
Successful exploitation enables a remote attacker to bypass Ghostscript's built-in access restrictions, potentially leading to arbitrary file read, file write, or remote code execution under the privileges of the Ghostscript process. This can compromise the confidentiality, integrity, and availability of the affected system. The impact is similar to other Ghostscript sandbox escapes, allowing an attacker to run arbitrary shell commands [1][3][4].
Mitigation
The vulnerability is fixed in Ghostscript version 9.26. Red Hat released updates for Red Hat Enterprise Linux 7 (ghostscript-9.07-31.el7_6.9) on 2019-02-12 [1]. Canonical released updates for Ubuntu via USN-3831-1 on 2018-11-29 [3]. Users should update Ghostscript to the latest version or apply the vendor-supplied patches. As a workaround, disable processing of untrusted PostScript and PDF files or use a policy file to restrict unsafe operations.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
36- Range: <9.26
- osv-coords35 versionspkg:rpm/opensuse/ghostscript&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ghostscript&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/ghostscript&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ghostscript&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/libspectre&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/libspectre&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/libspectre&distro=SUSE%20OpenStack%20Cloud%207
< 9.54.0-2.2+ 34 more
- (no CPE)range: < 9.54.0-2.2
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-3.9.4
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 9.26-23.16.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.8-3.4.3
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
- (no CPE)range: < 0.2.7-12.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- access.redhat.com/errata/RHBA-2019:0327mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2019:0229mitrevendor-advisoryx_refsource_REDHAT
- usn.ubuntu.com/3831-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2018/dsa-4346mitrevendor-advisoryx_refsource_DEBIAN
- git.ghostscript.commitrex_refsource_MISC
- www.securityfocus.com/bid/106154mitrevdb-entryx_refsource_BID
- bugs.ghostscript.com/show_bug.cgimitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2018/11/msg00036.htmlmitremailing-listx_refsource_MLIST
- semmle.com/news/semmle-discovers-severe-vulnerability-ghostscript-postscript-pdfmitrex_refsource_MISC
- www.ghostscript.com/doc/9.26/History9.htmmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.