CVE-2023-4573 — Use After Free in Mozilla Firefox

CWE-416 — Use After Free15 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 59.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedSep 11

Latest updateSep 14

Description

When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

▶CVEListV5mozilla/firefoxunspecified — 117

▶NVDmozilla/firefox115.0 — 115.2+1

▶CVEListV5mozilla/firefox_esrunspecified — 102.15+1

▶NVDmozilla/firefox_esr< 102.15

▶Ubuntumozilla/firefox< 117.0+build2-0ubuntu0.20.04.1

🔴Vulnerability Details

OSV

thunderbird vulnerabilities↗2023-09-14

▶

CVEList

Memory corruption in IPC CanvasTranslator↗2023-09-11

▶

GHSA

GHSA-vfg8-wvhv-f2g4: When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potent↗2023-09-11

▶

OSV

CVE-2023-4573: When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potent↗2023-09-11

▶

OSV

firefox vulnerabilities↗2023-08-30

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2023-09-14

▶

Ubuntu

Firefox vulnerabilities↗2023-08-30

▶

Red Hat

Mozilla: Memory corruption in IPC CanvasTranslator↗2023-08-29

▶

Debian

CVE-2023-4573: firefox - When receiving rendering data over IPC `mStream` could have been destroyed when ...↗2023

▶

Mozilla

Mozilla Foundation Security Advisory 2023-34: CVE-2023-4573↗

▶