CVE-2019-11752 — Use After Free in Mozilla Firefox
Severity
8.8HIGHNVD
OSV9.8OSV6.5
EPSS
0.9%
top 24.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 27
Latest updateMay 24
Description
It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages9 packages
🔴Vulnerability Details
6GHSA▶
GHSA-5xqq-gc4j-mg29: It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion↗2022-05-24
CVEList▶
CVE-2019-11752: It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion↗2019-09-27
OSV▶
CVE-2019-11752: It is possible to delete an IndexedDB key value and subsequently try to extract it during conversion↗2019-09-27
📋Vendor Advisories
5Debian▶
CVE-2019-11752: firefox - It is possible to delete an IndexedDB key value and subsequently try to extract ...↗2019
📄Research Papers
1arXiv▶
xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64↗2022-03-08