Mozilla Foundation Security Advisory 2021-44

Security Vulnerabilities fixed in Firefox ESR 78.15

Announced

October 5, 2021

Impact

high

Products

Firefox ESR

Fixed in

Firefox ESR 78.15

#CVE-2021-38496: Use-after-free in MessageTask

Reporter: Yangkang of 360 ATA Team
Impact: high

Description

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.

References

Bug 1725335

#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2

Reporter: Mozilla developers
Impact: high

Description

Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2021-44

Security Vulnerabilities fixed in Firefox ESR 78.15

#CVE-2021-38496: Use-after-free in MessageTask

Description

References

#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2

Description

References