⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-6820 — Race Condition in Mozilla Firefox

CWE-362 — Race Condition CWE-415 — Double Free CWE-416 — Use After Free24 documents15 sources

Severity

8.1HIGHNVD

OSV8.8OSV6.5

EPSS

3.1%

top 13.13%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedApr 24

KEV addedNov 3

KEV dueMay 3

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages7 packages

▶CVEListV5mozilla/firefoxunspecified — 74.0.1

▶NVDmozilla/firefox< 68.6.1+1

▶CVEListV5mozilla/firefox_esrunspecified — 68.6.1

▶CVEListV5mozilla/thunderbirdunspecified — 68.7.0

▶NVDmozilla/thunderbird< 68.7.0

🔴Vulnerability Details

GHSA

GHSA-f77r-rqc9-53hh: Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free↗2022-05-24

▶

Project0

Déjà vu-lnerability - Project Zero↗2021-02-01

▶

OSV

CVE-2020-6820: Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free↗2020-04-24

▶

CVEList

CVE-2020-6820: Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free↗2020-04-24

▶

OSV

thunderbird vulnerabilities↗2020-04-21

▶

📋Vendor Advisories

CISA

Mozilla Firefox And Thunderbird Use-After-Free Vulnerability↗2021-11-03

▶

Ubuntu

Thunderbird vulnerabilities↗2020-04-21

▶

Ubuntu

Thunderbird vulnerabilities↗2020-04-13

▶

Ubuntu

Firefox vulnerabilities↗2020-04-04

▶

Red Hat

Mozilla: Use-after-free when handling a ReadableStream↗2020-04-03

▶

🕵️Threat Intelligence

Qualys

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys↗2022-02-23

▶

Securelist

IT threat evolution Q2 2020. PC statistics↗2020-09-03

▶

Securelist

IT threat evolution Q2 2020. PC statistics↗2020-09-03

▶

Tenable

CVE-2020-6819, CVE-2020-6820: Critical Mozilla Firefox Zero-Day Vulnerabilities Exploited in the Wild↗2020-04-03

▶

💬Community

Bugzilla

Crash in [@ mozilla::dom::cache::Manager::Factory::Abort]↗2020-04-07

▶

Bugzilla

CVE-2020-6820 Mozilla: Use-after-free when handling a ReadableStream↗2020-04-04

▶

Bugzilla

AddressSanitizer: heap-use-after-free /home/fuzzer/firefox/src/dist/include/mozilla/ipc/ProtocolUtils.h:229:31 in Id↗2020-04-01

▶