CVE-2022-38476 — Use After Free in Mozilla Firefox ESR

CWE-416 — Use After Free12 documents9 sources

Severity

7.5HIGHNVD

OSV8.8

EPSS

0.2%

top 59.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedDec 22

Description

A data race could occur in the PK11_ChangePW function, potentially leading to a use-after-free vulnerability. In Firefox, this lock protected the data when a user changed their master password. This vulnerability affects Firefox ESR < 102.2 and Thunderbird < 102.2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5mozilla/firefox_esrunspecified — 102.2

▶NVDmozilla/firefox_esr< 102.2

▶CVEListV5mozilla/thunderbirdunspecified — 102.2

▶NVDmozilla/thunderbird< 102.2

▶Debianmozilla/thunderbird< 1:102.2.0-1+2

🔴Vulnerability Details

OSV

CVE-2022-38476: A data race could occur in the PK11_ChangePW function, potentially leading to a use-after-free vulnerability↗2022-12-22

▶

CVEList

CVE-2022-38476: A data race could occur in the PK11_ChangePW function, potentially leading to a use-after-free vulnerability↗2022-12-22

▶

GHSA

GHSA-mj64-2668-m2rv: A data race could occur in the PK11_ChangePW function, potentially leading to a use-after-free vulnerability↗2022-12-22

▶

OSV

thunderbird vulnerabilities↗2022-10-07

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-10-07

▶

Red Hat

Mozilla: Data race and potential use-after-free in PK11_ChangePW↗2022-08-23

▶

Debian

CVE-2022-38476: firefox-esr - A data race could occur in the <code>PK11_ChangePW</code> function, potentially ...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-34: CVE-2022-38476↗

▶

Mozilla

Mozilla Foundation Security Advisory 2022-36: CVE-2022-38476↗

▶

🕵️Threat Intelligence

Securelist

IT threat evolution in Q3 2022. Non-mobile statistics↗2022-11-18

▶

Securelist

PC malware statistics, Q3 2022↗2022-11-18

▶