CVE-2020-12387 — Race Condition in Mozilla Firefox

CWE-362 — Race Condition CWE-416 — Use After Free17 documents9 sources

Severity

8.1HIGHNVD

EPSS

1.0%

top 23.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedMay 26

Latest updateMay 24

Description

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages9 packages

▶CVEListV5mozilla/firefoxunspecified — 76

▶NVDmozilla/firefox< 76.0

▶CVEListV5mozilla/firefox_esrunspecified — 68.8

▶NVDmozilla/firefox_esr< 68.8.0

▶Ubuntumozilla/firefox< 76.0.1+build1-0ubuntu0.16.04.1+5

🔴Vulnerability Details

GHSA

GHSA-8m69-jh8v-xjx3: A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability↗2022-05-24

▶

OSV

thunderbird vulnerabilities↗2020-05-26

▶

CVEList

CVE-2020-12387: A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability↗2020-05-26

▶

OSV

CVE-2020-12387: A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability↗2020-05-26

▶

OSV

firefox regression↗2020-05-12

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2020-05-26

▶

Ubuntu

Firefox regression↗2020-05-12

▶

Ubuntu

Firefox vulnerabilities↗2020-05-07

▶

Red Hat

Mozilla: Use-after-free during worker shutdown↗2020-05-05

▶

Debian

CVE-2020-12387: firefox - A race condition when running shutdown code for Web Worker led to a use-after-fr...↗2020

▶

💬Community

Bugzilla

CVE-2020-12387 Mozilla: Use-after-free during worker shutdown↗2020-05-05

▶

Bugzilla

CVE-2019-12387 python-twisted: Improper neutralization of CRLF characters in URIs and HTTP methods↗2019-06-12

▶