CVE-2021-29986 — Race Condition in Mozilla Firefox

CWE-362 — Race Condition CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition13 documents8 sources

Severity

8.1HIGHNVD

OSV5.9

EPSS

0.6%

top 30.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedAug 17

Latest updateMay 24

Description

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages8 packages

▶CVEListV5mozilla/firefoxunspecified — 91

▶NVDmozilla/firefox< 91.0

▶CVEListV5mozilla/firefox_esrunspecified — 78.13

▶CVEListV5mozilla/thunderbirdunspecified — 78.13+1

▶NVDmozilla/firefox_esr< 78.13.0

🔴Vulnerability Details

GHSA

GHSA-vrcx-8xp2-2764: A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash↗2022-05-24

▶

OSV

thunderbird vulnerabilities↗2021-08-31

▶

OSV

CVE-2021-29986: A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash↗2021-08-17

▶

CVEList

CVE-2021-29986: A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash↗2021-08-17

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2021-08-31

▶

Ubuntu

Firefox vulnerabilities↗2021-08-11

▶

Red Hat

Mozilla: Race condition when resolving DNS names could have led to memory corruption↗2021-08-10

▶

Debian

CVE-2021-29986: firefox - A suspected race condition when calling getaddrinfo led to memory corruption and...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-33: CVE-2021-29986↗

▶