CVE-2014-1544 — Use After Free in Mozilla Firefox

CWE-416 — Use After Free10 documents8 sources

Severity

10.0CRITICALNVD

EPSS

2.0%

top 16.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla NSS Mozilla Firefox Mozilla Thunderbird +2 more

Timeline

PublishedJul 23

Latest updateMay 17

Description

Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages5 packages

▶NVDmozilla/network_security_services51 versions+50

▶NVDmozilla/firefox30.0+5

▶NVDmozilla/firefox_esr5 versions+4

▶NVDmozilla/thunderbird24.6+8

▶Debianmozilla/nss< 2:3.16.3-1+3

🔴Vulnerability Details

GHSA

GHSA-pwp6-rmm8-g5j6: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3↗2022-05-17

▶

CVEList

CVE-2014-1544: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3↗2014-07-23

▶

OSV

CVE-2014-1544: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3↗2014-07-23

▶

📋Vendor Advisories

Ubuntu

NSS vulnerability↗2014-09-09

▶

Red Hat

nss: Race-condition in certificate verification can lead to Remote code execution (MFSA 2014-63)↗2014-07-22

▶

Ubuntu

Thunderbird vulnerabilities↗2014-07-22

▶

Ubuntu

Firefox vulnerabilities↗2014-07-22

▶

Debian

CVE-2014-1544: nss - Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3....↗2014

▶

💬Community

Bugzilla

CVE-2014-1544 nss: Race-condition in certificate verification can lead to Remote code execution (MFSA 2014-63)↗2014-07-04

▶