CVE-2016-5261
published 2016-08-05CVE-2016-5261: Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to…
PriorityP342high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
4.18%
89.7th percentile
Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 48.0-1 (sid) | firefox 48.0-1 (sid) |
| debian | firefox-esr | < firefox 48.0-1 (sid) | firefox 48.0-1 (sid) |
| mozilla | firefox | <= 47.0.1 | — |
| mozilla | firefox | >= 0 < 48.0+build2-0ubuntu0.14.04.1 | 48.0+build2-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 48.0+build2-0ubuntu0.16.04.1 | 48.0+build2-0ubuntu0.16.04.1 |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)
vendor_redhat·2016-09-20·CVSS 8.8
CVE-2016-5261 [HIGH] Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)
Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)
Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering.
Package: thunderbird (Red Hat Enterprise Linux 5) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 6) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 7) - Not affected
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2016-08-05·CVSS 9.8
CVE-2016-0718 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Gustavo Grieco discovered an out-of-bounds read during XML parsing in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or obtain sensitive information.
(CVE-2016-0718)
Toni Huttunen discovered that once a favicon is requested from a site,
the remote server can keep the network connection open even after the page
is closed. A remote attacked could potentially exploit this to track
users, resulting in information disclosure. (CVE-2016-2830)
Christian Holler, Tyson Smith, Boris Zbarsky, Byron Campen, Julian Seward,
Carsten Boo
Red Hat
spice: Host memory access from guest with invalid primary surface parameters
vendor_redhat·2016-06-06·CVSS 7.1
CVE-2016-2150 [HIGH] spice: Host memory access from guest with invalid primary surface parameters
spice: Host memory access from guest with invalid primary surface parameters
SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261.
A memory access flaw was found in the way spice handled certain guests using crafted primary surface parameters. A user in a guest could use this flaw to read from and write to arbitrary memory locations on the host.
Debian
CVE-2016-5261: firefox - Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mo...
vendor_debian·2016·CVSS 8.8
CVE-2016-5261 [HIGH] CVE-2016-5261: firefox - Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mo...
Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering.
Scope: local
sid: resolved (fixed in 48.0-1)
GHSA
GHSA-jrqh-qj76-c265: Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48
ghsa_unreviewed·2022-05-14
CVE-2016-5261 [HIGH] CWE-190 GHSA-jrqh-qj76-c265: Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48
Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering.
OSV
CVE-2016-5261: Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48
osv·2016-08-05·CVSS 8.8
CVE-2016-5261 [HIGH] CVE-2016-5261: Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48
Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering.
OSV
firefox vulnerabilities
osv·2016-08-05·CVSS 9.8
CVE-2016-0718 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Gustavo Grieco discovered an out-of-bounds read during XML parsing in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or obtain sensitive information.
(CVE-2016-0718)
Toni Huttunen discovered that once a favicon is requested from a site,
the remote server can keep the network connection open even after the page
is closed. A remote attacked could potentially exploit this to track
users, resulting in information disclosure. (CVE-2016-2830)
Christian Holler, Tyson Smith, Boris Zbarsky, Byron Campen, Julian Seward,
Carsten Book, Gary Kwong, Jesse Ruderman, Andrew McCreight, and Phil
Ringnalda discovered multiple memory safety issues in
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-5261 Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)
bugzilla·2016-08-01·CVSS 8.8
CVE-2016-5261 [HIGH] CVE-2016-5261 Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)
CVE-2016-5261 Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)
Security researcher Samuel Groß reported an integer overflow error in WebSockets during data buffering on incoming packets when an allocated buffer is resized incorrectly. This results in the buffer array holding the data being shrunk, instead of grown, resulting in attacker controlled data being written at a known offset from the newly allocated buffer. This results in a potentially exploitable crash.
External Reference:
https://www.mozilla.org/security/advisories/mfsa2016-75/
https://www.mozilla.org/security/advisories/mfsa2016-86/
Acknowledgements:
Name: the Mozilla project
Upstream: Samuel Groß
Discussion:
This issue has been addressed in the following products:
Red
Bugzilla
CVE-2016-2150 spice: Host memory access from guest with invalid primary surface parameters
bugzilla·2016-03-01·CVSS 7.1
CVE-2016-2150 [HIGH] CVE-2016-2150 spice: Host memory access from guest with invalid primary surface parameters
CVE-2016-2150 spice: Host memory access from guest with invalid primary surface parameters
It was found that one malicious guest inside a virtual machine can take control of the corresponding Qemu process in the host using crafted primary surface parameters. This issue is similar to CVE-2015-5261, but it's using different path in the code.
Discussion:
Acknowledgments:
Name: Frediano Ziglio (Red Hat)
---
Created spice tracking bugs for this issue:
Affects: fedora-all [bug 1343135]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1205 https://access.redhat.com/errata/RHSA-2016:1205
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:1204 https://access.redhat.com/errata/RHSA-
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1912.htmlhttp://www.debian.org/security/2016/dsa-3674http://www.mozilla.org/security/announce/2016/mfsa2016-75.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttp://www.securityfocus.com/bid/92260http://www.securitytracker.com/id/1036508http://www.ubuntu.com/usn/USN-3044-1https://bugzilla.mozilla.org/show_bug.cgi?id=1287266https://security.gentoo.org/glsa/201701-15https://www.mozilla.org/security/advisories/mfsa2016-86/http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1912.htmlhttp://www.debian.org/security/2016/dsa-3674http://www.mozilla.org/security/announce/2016/mfsa2016-75.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttp://www.securityfocus.com/bid/92260http://www.securitytracker.com/id/1036508http://www.ubuntu.com/usn/USN-3044-1https://bugzilla.mozilla.org/show_bug.cgi?id=1287266https://security.gentoo.org/glsa/201701-15https://www.mozilla.org/security/advisories/mfsa2016-86/
2016-08-05
Published