CVE-2018-12886

Name: CVE-2018-12886
Creator: NVD / NIST
Published: 2019-05-22T19:29:00.297+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.17%

Last modified Jun 17, 2026

CVE-2018-12886 is a vulnerability of currently unknown severity. stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.. EPSS estimates a 2.17% chance of exploitation in the next 30 days.

Description

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.

Metrics

EPSS Probability

2.17%

80.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-209

Affected Software

Vendor	Product	Versions
Gnu	Gcc	>= 4.1, <= 8.0

References

https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/config/arm/arm-protos.h?revision=266379&view=markupVendor Advisory
https://www.gnu.org/software/gcc/gcc-8/changes.htmlExploit, Vendor Advisory
https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/config/arm/arm-protos.h?revision=266379&view=markupVendor Advisory
https://www.gnu.org/software/gcc/gcc-8/changes.htmlExploit, Vendor Advisory

Timeline

Published: May 22, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-12886?

How severe is CVE-2018-12886?

Severity scoring for CVE-2018-12886 is pending analysis. The EPSS model estimates a 2.17% probability of exploitation in the next 30 days.

How do I fix CVE-2018-12886?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-12886?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST