In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.
Weakness
The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Firefox | Mozilla | * | 115.13 (excluding) |
| Firefox | Mozilla | * | 128.0 (excluding) |
| Thunderbird | Mozilla | * | 115.13 (excluding) |
| Thunderbird | Mozilla | 116.0 (including) | 128.0 (excluding) |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | firefox-0:115.13.0-3.el7_9 | * |
| Red Hat Enterprise Linux 8 | RedHat | firefox-0:115.13.0-3.el8_10 | * |
| Red Hat Enterprise Linux 8 | RedHat | thunderbird-0:115.13.0-3.el8_10 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | firefox-0:115.13.0-3.el8_2 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | thunderbird-0:115.13.0-3.el8_2 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | firefox-0:115.13.0-3.el8_4 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | thunderbird-0:115.13.0-3.el8_4 | * |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | firefox-0:115.13.0-3.el8_4 | * |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | thunderbird-0:115.13.0-3.el8_4 | * |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | firefox-0:115.13.0-3.el8_4 | * |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | thunderbird-0:115.13.0-3.el8_4 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | firefox-0:115.13.0-3.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | thunderbird-0:115.13.0-3.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | firefox-0:115.13.0-3.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | thunderbird-0:115.13.0-3.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | firefox-0:115.13.0-3.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | thunderbird-0:115.13.0-3.el8_6 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | firefox-0:115.13.0-3.el8_8 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | thunderbird-0:115.13.0-3.el8_8 | * |
| Red Hat Enterprise Linux 9 | RedHat | firefox-0:115.13.0-3.el9_4 | * |
| Red Hat Enterprise Linux 9 | RedHat | thunderbird-0:115.13.0-3.el9_4 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | firefox-0:115.13.0-3.el9_0 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | thunderbird-0:115.13.0-3.el9_0 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | thunderbird-0:115.13.0-3.el9_2 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | firefox-0:115.13.0-3.el9_2 | * |
| Firefox | Ubuntu | focal | * |
| Mozjs102 | Ubuntu | devel | * |
| Mozjs102 | Ubuntu | esm-apps/noble | * |
| Mozjs102 | Ubuntu | jammy | * |
| Mozjs102 | Ubuntu | mantic | * |
| Mozjs102 | Ubuntu | noble | * |
| Mozjs102 | Ubuntu | upstream | * |
| Mozjs38 | Ubuntu | esm-apps/bionic | * |
| Mozjs38 | Ubuntu | upstream | * |
| Mozjs52 | Ubuntu | esm-apps/focal | * |
| Mozjs52 | Ubuntu | esm-infra/bionic | * |
| Mozjs52 | Ubuntu | focal | * |
| Mozjs52 | Ubuntu | upstream | * |
| Mozjs68 | Ubuntu | esm-infra/focal | * |
| Mozjs68 | Ubuntu | focal | * |
| Mozjs68 | Ubuntu | upstream | * |
| Mozjs78 | Ubuntu | esm-apps/jammy | * |
| Mozjs78 | Ubuntu | jammy | * |
| Mozjs78 | Ubuntu | upstream | * |
| Mozjs91 | Ubuntu | jammy | * |
| Mozjs91 | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | focal | * |
| Thunderbird | Ubuntu | jammy | * |
| Thunderbird | Ubuntu | mantic | * |
Extended Description
While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array. Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error. If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the product. As a result, the attack might change the state of the product as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.
Related Attack Patterns
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1895081
- https://www.mozilla.org/security/advisories/mfsa2024-29/
- https://www.mozilla.org/security/advisories/mfsa2024-30/
- https://www.mozilla.org/security/advisories/mfsa2024-31/
- https://www.mozilla.org/security/advisories/mfsa2024-32/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1895081
- https://www.mozilla.org/security/advisories/mfsa2024-29/
- https://www.mozilla.org/security/advisories/mfsa2024-30/
- https://www.mozilla.org/security/advisories/mfsa2024-31/
- https://www.mozilla.org/security/advisories/mfsa2024-32/