CVE-2018-18512 — Use After Free in Mozilla Thunderbird

CWE-416 — Use After Free4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 38.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird

Timeline

PublishedApr 26

Latest updateMay 24

Description

A use-after-free vulnerability can occur while playing a sound notification in Thunderbird. The memory storing the sound data is immediately freed, although the sound is still being played asynchronously, leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 60.5.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/thunderbird< thunderbird 1:60.5.0-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 60.5

▶NVDmozilla/thunderbird< 65.0

▶Debianmozilla/thunderbird< 1:60.5.0-1+3

🔴Vulnerability Details

GHSA

GHSA-2mgp-6265-vwf6: A use-after-free vulnerability can occur while playing a sound notification in Thunderbird↗2022-05-24

▶

OSV

CVE-2018-18512: A use-after-free vulnerability can occur while playing a sound notification in Thunderbird↗2019-04-26

▶

📋Vendor Advisories

Debian

CVE-2018-18512: thunderbird - A use-after-free vulnerability can occur while playing a sound notification in T...↗2018

▶