CVE-2023-25738 — Out-of-bounds Read in Mozilla Firefox

CWE-125 — Out-of-bounds Read CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 62.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedJun 2

Description

Members of the DEVMODEW struct set by the printer device driver weren't being validated and could have resulted in invalid values which in turn would cause the browser to attempt out of bounds access to related variables.*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶CVEListV5mozilla/firefoxunspecified — 110

▶NVDmozilla/firefox< 110.0

▶CVEListV5mozilla/firefox_esrunspecified — 102.8

▶NVDmozilla/firefox_esr< 102.8

▶CVEListV5mozilla/thunderbirdunspecified — 102.8

🔴Vulnerability Details

CVEList

CVE-2023-25738: Members of the DEVMODEW struct set by the printer device driver weren't being validated and could have resulted in invalid values which in turn would↗2023-06-02

▶

GHSA

GHSA-5wxj-v52j-4fmh: Members of the DEVMODEW struct set by the printer device driver weren't being validated and could have resulted in invalid values which in turn would↗2023-06-02

▶

📋Vendor Advisories

Red Hat

Mozilla: Printing on Windows could potentially crash Firefox with some device drivers↗2023-02-14

▶

Debian

CVE-2023-25738: firefox - Members of the <code>DEVMODEW</code> struct set by the printer device driver wer...↗2023

▶

Mozilla

Mozilla Foundation Security Advisory 2023-05: CVE-2023-25738↗

▶

Mozilla

Mozilla Foundation Security Advisory 2023-07: CVE-2023-25738↗

▶

Mozilla

Mozilla Foundation Security Advisory 2023-06: CVE-2023-25738↗

▶