CVE-2018-6641

Vulnerability

An arbitrary free vulnerability exists in Design Science MathType version 6.9c. Crafted input can overwrite a structure, leading to a function call with an invalid parameter, and subsequently freeing important data such as a function pointer or list pointer. This issue is present in the 6.9c release and is fixed in 6.9d [1].

Exploitation

An attacker can exploit this vulnerability by providing specially crafted input to MathType. No authentication is required, and the attack can be performed remotely. The crafted input overwrites a structure, causing a function call with an invalid parameter, which then triggers a free operation on critical data, potentially leading to code execution.

Impact

Successful exploitation allows an attacker to achieve remote code execution with the privileges of the MathType process. This can lead to full compromise of the affected system, including data disclosure, modification, or denial of service.

Mitigation

The vulnerability is fixed in MathType version 6.9d, which is available for download from the vendor's website [1]. Users should upgrade to version 6.9d or later. No workarounds are documented. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.