Security Experts:

Connect with us

Hi, what are you looking for?



Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird

Mozilla this week released security updates for the Firefox browser and Thunderbird mail client to address multiple vulnerabilities, including several bugs rated high severity.

Mozilla this week released security updates for the Firefox browser and Thunderbird mail client to address multiple vulnerabilities, including several bugs rated high severity.

Firefox 95 started rolling out to users earlier this week with the new RLBox isolation technology inside, meant to improve protections from web attacks by sandboxing potentially problematic subcomponents.

The browser refresh also includes patches for 13 vulnerabilities, including six that have a severity rating of high. Some of these patches were also included in Firefox ESR 91.4 and Thunderbird 91.4.0.

If successfully exploited, the most severe of these security errors could allow an attacker to execute arbitrary code within the context of the vulnerable application, which could potentially lead to full system compromise.

The first of these high-severity vulnerabilities could result in the target URL being exposed during navigation when asynchronous functions are executed (CVE-2021-43536). Another one is a heap buffer overflow caused by the “incorrect type conversion of sizes from 64bit to 32bit integers” (CVE-2021-43537).

Mozilla also patched a potential spoofing attack where the full screen and pointer lock notification would be missing when requesting both (CVE-2021-43538), and a use-after-free caused by the GC not tracing live pointers (CVE-2021-43539).

Mozilla shipped patches for these four high-severity vulnerabilities to Firefox, Firefox ESR and Thunderbird users. Additionally, it addressed a high-severity use-after-free flaw in Firefox for macOS.

The browser maker also released patches for high-severity memory safety bugs that were found in the previous iterations of its applications, along with fixes for several medium- and low-severity vulnerabilities.

Looking to raise awareness of these vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued an advisory to encourage organizations to apply the available patches as soon as possible.

“Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Firefox 95 Rolls Out With New ‘RLBox’ Isolation Feature

Related: Google Patches Serious Use-After-Free Vulnerabilities in Chrome

Related: Mozilla Rolling Out ‘Site Isolation’ With Release of Firefox 94

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.