Coffeys

Name of the Vulnerable Software and Affected Versions: Mozilla Firefox versions prior to 133 Mozilla Thunderbird versions prior to 133 Description: The issue is related to the NSC DeriveKey function in Mozilla Firefox and Thunderbird, which incorrectly assumes that the `phKey` parameter is always non-NULL. When `phKey` is passed as NULL, it causes a segmentation fault, leading to crashes. This behavior conflicts with the PKCS#11 v3.0 specification, which allows `phKey` to be NULL for certain mechanisms. Recommendations: For Mozilla Firefox versions prior to 133, update to version 133 or later to resolve the issue. For Mozilla Thunderbird versions prior to 133, update to version 133 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `NSC DeriveKey` function until a patch is available.