Connect with us

Hi, what are you looking for?



Firefox 115 Patches High-Severity Use-After-Free Vulnerabilities

Mozilla has released Firefox 115 to the stable channel with patches for two high-severity use-after-free vulnerabilities.

Mozilla on Tuesday announced the release of Firefox 115 to the stable channel with patches for a dozen vulnerabilities, including two high-severity use-after-free bugs.

Tracked as CVE-2023-37201, the first of the high-severity issues is described as a use-after-free flaw in WebRTC certificate generation.

An open source project, WebRTC enables real-time communication in web browsers and mobile applications, via application programming interfaces (APIs).

“An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS,” Mozilla explains in an advisory.

The second high-severity vulnerability, CVE-2023-37202, is described as a potential use-after-free issue from compartment mismatch in the open source JavaScript and WebAssembly engine SpiderMonkey.

“Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free,” Mozilla says.

The browser maker says the latest Firefox update also addresses high-severity memory safety bugs that might have led to the execution of arbitrary code. The flaws are collectively tracked as CVE-2023-37211 and CVE-2023-37212.

Advertisement. Scroll to continue reading.

Firefox 115 also includes patches for eight medium-severity vulnerabilities leading to malicious sites placing trackers without permissions, arbitrary code execution, spoofing attacks, URL spoofing, download of files containing malicious code, use-after-free condition, and to tricking users into submitting sensitive data to malicious sites.

This week, Mozilla also announced that Firefox ESR 102.13 and Thunderbird 102.13 were released with patches for five vulnerabilities, including the high-severity use-after-free and memory safety bugs that were addressed in Firefox 115.

Additional information on the resolved vulnerabilities can be found on Mozilla’s security advisories page.

Related: Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111

Related: Firefox Updates Patch 10 High-Severity Vulnerabilities

Related: Firefox 107 Patches High-Impact Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.