Connect with us

Hi, what are you looking for?



Mozilla Patches Firefox Vulnerability Allowing Remote Code Execution, Sandbox Escape

Firefox and Thunderbird security updates released this week address multiple memory safety bugs in both products.

Mozilla on Tuesday announced security updates for both Firefox and Thunderbird, to address 20 vulnerabilities, including several memory safety issues.

Firefox 121 was released with patches for 18 vulnerabilities, five of which have a ‘high’ severity rating.

At the top of the list is CVE-2023-6856, a heap buffer overflow bug in WebGL, the JavaScript API for rendering interactive graphics within the browser.

“The WebGL DrawElementsInstanced method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox escape,” Mozilla explains in its advisory.

Next in line is CVE-2023-6135, an issue rendering Network Security Services (NSS) NIST curves vulnerable to the Minerva side-channel attack, which could allow adversaries to recover the long-term private key.

Mozilla also resolved CVE-2023-6865, a bug potentially exposing uninitialized data in EncryptingOutputStream, which could be exploited to write data to a local disk, potentially impacting the private browsing mode.

The latest Firefox iteration also addresses multiple memory safety issues that are collectively tracked as CVE-2023-6873 and CVE-2023-6864. The latter also impacts Firefox ESR and Thunderbird.

Firefox 121 also resolves eight medium-severity flaws, including heap buffer overflow, use-after-free, and sandbox escape issues. The remaining five bugs are rated ‘low’ severity.

Advertisement. Scroll to continue reading.

On Tuesday, Mozilla announced the release of Thunderbird 115.6 with patches for 11 vulnerabilities, nine of which were addressed in Firefox as well.

The remaining two, both high-severity flaws, could allow attackers to spoof email messages (CVE-2023-50762), or spoof the time at which a message was sent (CVE-2023-50761).

Firefox ESR 115.6 was also released on Tuesday, with patches for 11 of the security defects that Firefox 121 resolves.

Mozilla makes no mention of any of these vulnerabilities being exploited in attacks. Additional information can be found on Mozilla’s security advisories page.

Related: Firefox, Chrome Updates Patch High-Severity Vulnerabilities

Related: Firefox 118 Patches High-Severity Vulnerabilities

Related: High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.