CVE-2021-29955 — Injection in Mozilla Firefox

CWE-74 — Injection8 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.9%

top 24.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR

Timeline

PublishedJun 24

Latest updateMay 24

Description

A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. (A related vulnerability, Speculative Code Store Bypass (SCSB), did not affect Firefox.). This vulnerability affects Firefox ESR < 78.9 and Firefox < 87.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5mozilla/firefoxunspecified — 87

▶NVDmozilla/firefox< 87.0

▶CVEListV5mozilla/firefox_esrunspecified — 78.9

▶NVDmozilla/firefox_esr< 78.9

🔴Vulnerability Details

GHSA

GHSA-2vp6-mvmx-fxh9: A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have a↗2022-05-24

▶

OSV

CVE-2021-29955: A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have a↗2021-06-24

▶

CVEList

CVE-2021-29955: A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have a↗2021-06-24

▶

📋Vendor Advisories

Debian

CVE-2021-29955: firefox - A transient execution vulnerability, named Floating Point Value Injection (FPVI)...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-10: CVE-2021-29955↗

▶

Mozilla

Mozilla Foundation Security Advisory 2021-11: CVE-2021-29955↗

▶

💬Community

Bugzilla

FPVI & SCSB Disclosure (Feb 12, ‘21)↗2021-02-16

▶