CVE-2023-5170Missing Release of Memory after Effective Lifetime in Mozilla Firefox

CWE-401Missing Release of Memory after Effective Lifetime10 documents7 sources
Severity
7.4HIGHNVD
OSV6.5
EPSS
0.2%
top 53.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedSep 27
Latest updateOct 11

Description

In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged process. This memory leak could be used to effect a sandbox escape if the correct data was leaked. This vulnerability affects Firefox < 118.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 2.8 | Impact: 4.0

Affected Packages3 packages

CVEListV5mozilla/firefoxunspecified118
NVDmozilla/firefox< 118.0
Ubuntumozilla/firefox< 118.0.1+build1-0ubuntu0.20.04.1+1

🔴Vulnerability Details

5
OSV
firefox regressions2023-10-11
OSV
firefox vulnerabilities2023-10-03
OSV
CVE-2023-5170: In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged proces2023-09-28
GHSA
GHSA-2gw5-9px7-vp56: In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged proces2023-09-27
CVEList
CVE-2023-5170: In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged proces2023-09-27

📋Vendor Advisories

4
Ubuntu
Firefox regressions2023-10-11
Ubuntu
Firefox vulnerabilities2023-10-03
Debian
CVE-2023-5170: firefox - In canvas rendering, a compromised content process could have caused a surface t...2023
Mozilla
Mozilla Foundation Security Advisory 2023-41: CVE-2023-5170
CVE-2023-5170 — Mozilla Firefox vulnerability | cvebase