cbcvebase.

Debian Firefox vulnerabilities

1,550 known vulnerabilities affecting debian/firefox.

Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42

Vulnerabilities

Page 43 of 78
CVE-2024-0744P3HIGHCVSS 7.5fixed in firefox 122.0-1 (sid)2024
CVE-2024-0744 [HIGH] CVE-2024-0744: firefox - In some circumstances, JIT compiled code could have dereferenced a wild pointer ... In some circumstances, JIT compiled code could have dereferenced a wild pointer value. This could have led to an exploitable crash. This vulnerability affects Firefox < 122. Scope: local sid: resolved (fixed in 122.0-1)
debian
CVE-2024-3858P3HIGHCVSS 7.5fixed in firefox 125.0.1-1 (sid)2024
CVE-2024-3858 [HIGH] CVE-2024-3858: firefox - It was possible to mutate a JavaScript object so that the JIT could crash while ... It was possible to mutate a JavaScript object so that the JIT could crash while tracing it. This vulnerability affects Firefox < 125. Scope: local sid: resolved (fixed in 125.0.1-1)
debian
CVE-2023-29537P3HIGHCVSS 7.5fixed in firefox 112.0-1 (sid)2023
CVE-2023-29537 [HIGH] CVE-2023-29537: firefox - Multiple race conditions in the font initialization could have led to memory cor... Multiple race conditions in the font initialization could have led to memory corruption and execution of attacker-controlled code. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112. Scope: local sid: resolved (fixed in 112.0-1)
debian
CVE-2024-4773P3HIGHCVSS 7.5fixed in firefox 126.0-1 (sid)2024
CVE-2024-4773 [HIGH] CVE-2024-4773: firefox - When a network error occurred during page load, the prior content could have rem... When a network error occurred during page load, the prior content could have remained in view with a blank URL bar. This could have been used to obfuscate a spoofed web site. This vulnerability affects Firefox < 126. Scope: local sid: resolved (fixed in 126.0-1)
debian
CVE-2024-2613P3HIGHCVSS 7.5fixed in firefox 124.0-1 (sid)2024
CVE-2024-2613 [HIGH] CVE-2024-2613: firefox - Data was not properly sanitized when decoding a QUIC ACK frame; this could have ... Data was not properly sanitized when decoding a QUIC ACK frame; this could have led to unrestricted memory consumption and a crash. This vulnerability affects Firefox < 124. Scope: local sid: resolved (fixed in 124.0-1)
debian
CVE-2024-9399P3HIGHCVSS 7.5fixed in firefox 131.0-1 (sid)2024
CVE-2024-9399 [HIGH] CVE-2024-9399: firefox - A website configured to initiate a specially crafted WebTransport session could ... A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131. Scope: local sid: resolved (fixed in 131.0-1)
debian
CVE-2025-9182P3HIGHCVSS 7.5fixed in firefox 142.0-1 (sid)2025
CVE-2025-9182 [HIGH] CVE-2025-9182: firefox - Denial-of-service due to out-of-memory in the Graphics: WebRender component. Thi... Denial-of-service due to out-of-memory in the Graphics: WebRender component. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. Scope: local sid: resolved (fixed in 142.0-1)
debian
CVE-2019-9803P3HIGHCVSS 7.4fixed in firefox 66.0-1 (sid)2019
CVE-2019-9803 [HIGH] CVE-2019-9803: firefox - The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled ... The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the li
debian
CVE-2026-2801P3HIGHCVSS 7.5fixed in firefox 148.0-1 (sid)2026
CVE-2026-2801 [HIGH] CVE-2026-2801: firefox - Incorrect boundary conditions in the JavaScript: WebAssembly component. This vul... Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148. Scope: local sid: resolved (fixed in 148.0-1)
debian
CVE-2025-5270P3HIGHCVSS 7.5fixed in firefox 139.0-1 (sid)2025
CVE-2025-5270 [HIGH] CVE-2025-5270: firefox - In certain cases, SNI could have been sent unencrypted even when encrypted DNS w... In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139 and Thunderbird < 139. Scope: local sid: resolved (fixed in 139.0-1)
debian
CVE-2016-2836P3HIGHCVSS 8.8fixed in firefox 48.0-1 (sid)2016
CVE-2016-2836 [HIGH] CVE-2016-2836: firefox - Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox be... Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to Http2Session::Shutdown and SpdySession31::Shutdown, and other vectors. Scope: local sid: resolv
debian
CVE-2016-2835P3HIGHCVSS 8.8fixed in firefox 48.0-1 (sid)2016
CVE-2016-2835 [HIGH] CVE-2016-2835: firefox - Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox be... Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 48.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Scope: local sid: resolved (fixed in 48.0-1)
debian
CVE-2016-1964P3HIGHCVSS 8.8fixed in firefox 45.0-1 (sid)2016
CVE-2016-1964 [HIGH] CVE-2016-1964: firefox - Use-after-free vulnerability in the AtomicBaseIncDec function in Mozilla Firefox... Use-after-free vulnerability in the AtomicBaseIncDec function in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging mishandling of XML transformations. Scope: local sid: resolved (fixed in 45.0-1)
debian
CVE-2024-9403P3HIGHCVSS 7.3fixed in firefox 131.0-1 (sid)2024
CVE-2024-9403 [HIGH] CVE-2024-9403: firefox - Memory safety bugs present in Firefox 130. Some of these bugs showed evidence of... Memory safety bugs present in Firefox 130. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131 and Thunderbird < 131. Scope: local sid: resolved (fixed in 131.0-1)
debian
CVE-2019-9812P3CRITICALCVSS 9.3fixed in firefox 69.0-1 (sid)2019
CVE-2019-9812 [CRITICAL] CVE-2019-9812: firefox - Given a compromised sandboxed content process due to a separate vulnerability, i... Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the s
debian
CVE-2017-7774P3CRITICALCVSS 9.1fixed in firefox 54.0-1 (sid)2017
CVE-2017-7774 [CRITICAL] CVE-2017-7774: firefox - Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphite2::Silf:... Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphite2::Silf::readGraphite function. Scope: local sid: resolved (fixed in 54.0-1)
debian
CVE-2006-1790P3CRITICALCVSS 10.0fixed in firefox 1.5 (sid)2006
CVE-2006-1790 [CRITICAL] CVE-2006-1790: firefox - A regression fix in Mozilla Firefox 1.0.7 allows remote attackers to cause a den... A regression fix in Mozilla Firefox 1.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the InstallTrigger.install method, which leads to memory corruption. Scope: local sid: resolved (fixed in 1.5)
debian
CVE-2018-12364P3HIGHCVSS 8.8fixed in firefox 61.0-1 (sid)2018
CVE-2018-12364 [HIGH] CVE-2018-12364: firefox - NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, b... NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Fi
debian
CVE-2016-1949P3HIGHCVSS 8.8fixed in firefox 45.0-1 (sid)2016
CVE-2016-1949 [HIGH] CVE-2016-1949: firefox - Mozilla Firefox before 44.0.2 does not properly restrict the interaction between... Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file. Scope: local sid: resolved (fixed in 45.0-1)
debian
CVE-2018-12388P3HIGHCVSS 8.8fixed in firefox 63.0-1 (sid)2018
CVE-2018-12388 [HIGH] CVE-2018-12388: firefox - Mozilla developers and community members reported memory safety bugs present in ... Mozilla developers and community members reported memory safety bugs present in Firefox 62. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 63. Scope: local sid: resolved (fixed in 63.0-1)
debian
Debian Firefox vulnerabilities | cvebase