CVE-2019-11757Use After Free in Mozilla Firefox

CWE-416Use After Free14 documents8 sources
Severity
8.8HIGHNVD
OSV7.5
EPSS
1.4%
top 19.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla ThunderbirdMozilla FirefoxMozilla Firefox ESR+1 more
Timeline
PublishedJan 8
Latest updateMay 24

Description

When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages8 packages

NVDmozilla/firefox< 70.0
CVEListV5mozilla/firefoxbefore 70
CVEListV5mozilla/firefox_esrbefore 68.2

Also affects: Ubuntu Linux 16.04

🔴Vulnerability Details

6
GHSA
GHSA-fxjq-wqq4-mf6x: When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it2022-05-24
OSV
thunderbird vulnerabilities2020-04-21
CVEList
CVE-2019-11757: When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it2020-01-08
OSV
CVE-2019-11757: When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it2020-01-08
OSV
thunderbird regression2019-12-10

📋Vendor Advisories

6
Ubuntu
Thunderbird vulnerabilities2020-04-21
Ubuntu
Thunderbird regression2019-12-10
Ubuntu
Thunderbird vulnerabilities2019-11-26
Ubuntu
Firefox vulnerabilities2019-10-23
Red Hat
Mozilla: Use-after-free when creating index updates in IndexedDB2019-10-22

💬Community

1
Bugzilla
CVE-2019-11757 Mozilla: Use-after-free when creating index updates in IndexedDB2019-10-23
CVE-2019-11757 — Use After Free in Mozilla Firefox | cvebase