CVE-2014-8640

CWE-362 — Race Condition CWE-125 — Out-of-bounds Read7 documents7 sources

Severity

5.0MEDIUM

EPSS

1.5%

top 18.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Opensuse Opensuse

Timeline

PublishedJan 14

Latest updateMay 14

Description

The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly restrict timeline operations, which allows remote attackers to cause a denial of service (uninitialized-memory read and application crash) via crafted API calls.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶NVDmozilla/firefox34.0.5

▶NVDmozilla/seamonkey2.31

▶Ubuntufirefox< 35.0+build3-0ubuntu0.14.04.2

▶NVDopensuse/opensuse13.1, 13.2+1

🔴Vulnerability Details

GHSA

GHSA-rhh9-x7cc-27x3: The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35↗2022-05-14

▶

CVEList

CVE-2014-8640: The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35↗2015-01-14

▶

OSV

CVE-2014-8640: The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35↗2015-01-14

▶

📋Vendor Advisories

Red Hat

Mozilla: Read of uninitialized memory in Web Audio (MFSA 2015-05)↗2015-01-15

▶

Ubuntu

Firefox vulnerabilities↗2015-01-14

▶

💬Community

Bugzilla

CVE-2014-8640 Mozilla: Read of uninitialized memory in Web Audio (MFSA 2015-05)↗2015-01-12

▶