CVE-2020-6826
published 2020-04-24CVE-2020-6826: Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory…
PriorityP335critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.24%
65.6th percentile
Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 75.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 75.0-1 (sid) | firefox 75.0-1 (sid) |
| mozilla | firefox | < 75.0 | 75.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 75.0+build3-0ubuntu0.16.04.1 | 75.0+build3-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 75.0+build3-0ubuntu0.18.04.1 | 75.0+build3-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 75.0+build3-0ubuntu1 | 75.0+build3-0ubuntu1 |
| mozilla | firefox | >= unspecified < 75 | 75 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Mozilla: Memory safety bugs fixed in Firefox 75
vendor_redhat·2020-04-10·CVSS 9.8
CVE-2020-6826 [CRITICAL] CWE-119 Mozilla: Memory safety bugs fixed in Firefox 75
Mozilla: Memory safety bugs fixed in Firefox 75
Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 75.
Package: firefox (Red Hat Enterprise Linux 5) - Not affected
Package: firefox (Red Hat Enterprise Linux 6) - Not affected
Package: firefox (Red Hat Enterprise Linux 7) - Not affected
Package: firefox (Red Hat Enterprise Linux 8) - Not affected
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-04-07·CVSS 7.5
CVE-2020-6821 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2020-6821, CVE-2020-6822,
CVE-2020-6824, CVE-2020-6825, CVE-2020-6826)
It was discovered that extensions could obtain auth codes from OAuth login
flows in some circumstances. If a user were tricked in to installing a
specially crafted extension, an attacker could potentially exploit this to
obtain access to the user's account. (CVE-2020-6823)
Instructions: After a standard system update you need to rest
Debian
CVE-2020-6826: firefox - Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory ...
vendor_debian·2020·CVSS 9.8
CVE-2020-6826 [CRITICAL] CVE-2020-6826: firefox - Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory ...
Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 75.
Scope: local
sid: resolved (fixed in 75.0-1)
Mozilla
Mozilla Foundation Security Advisory 2020-12: CVE-2020-6826
vendor_mozilla·CVSS 9.8
CVE-2020-6826 [CRITICAL] Mozilla Foundation Security Advisory 2020-12: CVE-2020-6826
Mozilla Foundation Security Advisory 2020-12
CVE: CVE-2020-6826
Product: Firefox
Impact: high
Fixed in: Firefox 75
GHSA
GHSA-qp6r-j328-v2w7: Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74
ghsa_unreviewed·2022-05-24
CVE-2020-6826 [HIGH] CWE-119 GHSA-qp6r-j328-v2w7: Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74
Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 75.
OSV
CVE-2020-6826: Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74
osv·2020-04-07·CVSS 9.8
CVE-2020-6826 [CRITICAL] CVE-2020-6826: Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74
Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 75.
OSV
firefox vulnerabilities
osv·2020-04-07·CVSS 7.5
CVE-2020-6821 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2020-6821, CVE-2020-6822,
CVE-2020-6824, CVE-2020-6825, CVE-2020-6826)
It was discovered that extensions could obtain auth codes from OAuth login
flows in some circumstances. If a user were tricked in to installing a
specially crafted extension, an attacker could potentially exploit this to
obtain access to the user's account. (CVE-2020-6823)
No detection rules found.
No public exploits indexed.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1613009%2C1613195%2C1616734%2C1617488%2C1619229%2C1620719%2C1624897https://www.mozilla.org/security/advisories/mfsa2020-12/https://bugzilla.mozilla.org/buglist.cgi?bug_id=1613009%2C1613195%2C1616734%2C1617488%2C1619229%2C1620719%2C1624897https://www.mozilla.org/security/advisories/mfsa2020-12/
2020-04-24
Published