⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-6819 — Race Condition in Mozilla Firefox

CWE-362 — Race Condition CWE-416 — Use After Free CWE-787 — Out-of-bounds Write23 documents16 sources

Severity

8.1HIGHNVD

OSV8.8OSV6.5

EPSS

0.4%

top 41.56%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedApr 24

KEV addedNov 3

KEV dueMay 3

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages7 packages

▶CVEListV5mozilla/firefoxunspecified — 74.0.1

▶NVDmozilla/firefox< 68.6.1+1

▶CVEListV5mozilla/firefox_esrunspecified — 68.6.1

▶CVEListV5mozilla/thunderbirdunspecified — 68.7.0

▶NVDmozilla/thunderbird< 68.7.0

🔴Vulnerability Details

GHSA

GHSA-cv8q-mpvf-42h2: Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free↗2022-05-24

▶

CVEList

CVE-2020-6819: Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free↗2020-04-24

▶

OSV

CVE-2020-6819: Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free↗2020-04-24

▶

OSV

thunderbird vulnerabilities↗2020-04-21

▶

OSV

thunderbird vulnerabilities↗2020-04-13

▶

📋Vendor Advisories

CISA

Mozilla Firefox And Thunderbird Use-After-Free Vulnerability↗2021-11-03

▶

Ubuntu

Thunderbird vulnerabilities↗2020-04-21

▶

Ubuntu

Thunderbird vulnerabilities↗2020-04-13

▶

Ubuntu

Firefox vulnerabilities↗2020-04-04

▶

Red Hat

Mozilla: Use-after-free while running the nsDocShell destructor↗2020-04-03

▶

🕵️Threat Intelligence

Qualys

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys↗2022-02-23

▶

Securelist

IT threat evolution Q2 2020. PC statistics↗2020-09-03

▶

Securelist

IT threat evolution Q2 2020. PC statistics↗2020-09-03

▶

Tenable

CVE-2020-6819, CVE-2020-6820: Critical Mozilla Firefox Zero-Day Vulnerabilities Exploited in the Wild↗2020-04-03

▶

📐Framework References

CWE

Use After Free↗

▶

CWE

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')↗

▶

💬Community

Bugzilla

CVE-2020-6819 Mozilla: Use-after-free while running the nsDocShell destructor↗2020-04-04

▶