CVE-2018-12886

[lecaros]

Hello everyone,
We've received a couple of reports about this CVE.

This is not yet fixed upstream. I'm adding here the comments from @patrick-stephens on a past issue:

The CVE specifically states it affects ARM: https://avd.aquasec.com/nvd/cve-2018-12886/
@edsiper can probably answer on the specific combination of circumstances required but if you're not running ARM then that's an easy waiver.

This issue was ignored by the regular Trivy scan as it is marked as unfixed currently. It looks like the only fix for GCC is to step up major version: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85434

Some vendors have backported the changes, e.g. https://access.redhat.com/security/cve/CVE-2018-12886. Red Hat also determined a lower score than NVD but that may be due to other mitigations.
Debian has not: https://security-tracker.debian.org/tracker/CVE-2018-12886