Nils Bars

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 136 Firefox ESR versions prior to 128.8 **Description** A RegExp bailout processing issue allowed additional JavaScript execution, potentially triggering unexpected garbage collection. **Recommendations** For Firefox versions prior to 136, update to version 136 or later. For Firefox ESR versions prior to 128.8, update to version 128.8 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 135 Firefox ESR versions prior to 115.20 Firefox ESR versions prior to 128.7 Thunderbird versions prior to 128.7 Thunderbird versions prior to 135 **Description** A race during concurrent delazification could have led to a use-after-free. This issue affects several versions of Firefox and Thunderbird. **Recommendations** For Firefox versions prior to 135, update to version 135 or later. For Firefox ESR versions prior to 115.20, update to version 115.20 or later. For Firefox ESR versions prior to 128.7, update to version 128.7 or later. For Thunderbird versions prior to 128.7, update to version 128.7 or later. For Thunderbird versions prior to 135, update to version 135 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 134 Firefox ESR versions prior to 128.6 Thunderbird versions prior to 134 Thunderbird versions prior to 128.6 **Description** The issue arises when segmenting specially crafted text, leading to memory corruption and a potentially exploitable crash. **Recommendations** For Firefox versions prior to 134, update to version 134 or later. For Firefox ESR versions prior to 128.6, update to version 128.6 or later. For Thunderbird versions prior to 134, update to version 134 or later. For Thunderbird versions prior to 128.6, update to version 128.6 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 134 Firefox ESR versions prior to 128.6 Thunderbird versions prior to 134 Thunderbird versions prior to 128.6 **Description** Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. **Recommendations** For Firefox versions prior to 134, update to version 134 or later. For Firefox ESR versions prior to 128.6, update to version 128.6 or later. For Thunderbird versions prior to 134, update to version 134 or later. For Thunderbird versions prior to 128.6, update to version 128.6 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 131 Firefox ESR versions prior to 128.3 Thunderbird versions prior to 128.3 Thunderbird versions prior to 131 **Description** The issue is related to a buffer overflow in memory when cloning certain objects, potentially leading to memory corruption. This could allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. It is currently unknown if this issue is exploitable. **Recommendations** For Firefox versions prior to 131, update to version 131 or later. For Firefox ESR versions prior to 128.3, update to version 128.3 or later. For Thunderbird versions prior to 128.3, update to version 128.3 or later. For Thunderbird versions prior to 131, update to version 131 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 130 Firefox ESR versions prior to 128.2 Firefox ESR versions prior to 115.15 Thunderbird versions prior to 128.2 Thunderbird versions prior to 115.15 **Description** A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment. This issue may allow a remote attacker to execute arbitrary code. **Recommendations** Firefox versions prior to 130: Update to version 130 or later to resolve the issue. Firefox ESR versions prior to 128.2: Update to version 128.2 or later to resolve the issue. Firefox ESR versions prior to 115.15: Update to version 115.15 or later to resolve the issue. Thunderbird versions prior to 128.2: Update to version 128.2 or later to resolve the issue. Thunderbird versions prior to 115.15: Update to version 115.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NGINX Open Source and NGINX Plus versions prior to 1.26.2 NGINX Open Source and NGINX Plus versions prior to 1.27.1 **Description** The issue is related to a buffer overread vulnerability in the ngx http mp4 module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx http mp4 module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx http mp4 module. **Recommendations** For NGINX Open Source and NGINX Plus versions prior to 1.26.2, update to version 1.26.2 or later. For NGINX Open Source and NGINX Plus versions prior to 1.27.1, update to version 1.27.1 or later. As a temporary workaround, consider disabling the ngx http mp4 module until a patch is available. Restrict access to the mp4 directive in the configuration file to minimize the risk of exploitation. Avoid using specially crafted mp4 files that can trigger the processing of the ngx http mp4 module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 129 Firefox ESR versions prior to 115.14 Firefox ESR versions prior to 128.1 Thunderbird versions prior to 128.1 Thunderbird versions prior to 115.14 **Description** The issue is related to incomplete WebAssembly exception handling, which could lead to a use-after-free. This allows an attacker to potentially execute arbitrary code. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For Firefox versions prior to 129, update to version 129 or later. For Firefox ESR versions prior to 115.14, update to version 115.14 or later. For Firefox ESR versions prior to 128.1, update to version 128.1 or later. For Thunderbird versions prior to 128.1, update to version 128.1 or later. For Thunderbird versions prior to 115.14, update to version 115.14 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 128 Mozilla Firefox ESR versions prior to 115.13 Mozilla Thunderbird versions prior to 115.13 Mozilla Thunderbird versions prior to 128 **Description** The issue is related to a type confusion in Async Generators, potentially leading to memory corruption and an exploitable crash. This could allow a remote attacker to cause a denial of service. The problem is associated with an error in the ECMA-262 specification. **Recommendations** For Mozilla Firefox versions prior to 128, upgrade to version 128 or later. For Mozilla Firefox ESR versions prior to 115.13, upgrade to version 115.13 or later. For Mozilla Thunderbird versions prior to 115.13, upgrade to version 115.13 or later. For Mozilla Thunderbird versions prior to 128, upgrade to version 128 or later. As a temporary workaround, consider using `std::panic::catch unwind` to ensure any exceptions caused by the engine do not impact the availability of the main application.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 128 Thunderbird versions prior to 128 **Description** The frame iterator could get stuck in a loop when encountering certain wasm frames, leading to incorrect stack traces. **Recommendations** For Firefox versions prior to 128, update to version 128 or later to resolve the issue. For Thunderbird versions prior to 128, update to version 128 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 128 Thunderbird versions prior to 128 **Description** The issue is related to the frame iterator component, which could get stuck in a loop when encountering certain wasm frames, leading to incorrect stack traces. This could allow a remote attacker to impact data integrity. **Recommendations** For Firefox versions prior to 128, update to version 128 or later to resolve the issue. For Thunderbird versions prior to 128, update to version 128 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NGINX Plus (affected versions not specified) NGINX OSS (affected versions not specified) **Description** The issue is related to the use of memory after it has been freed in the HTTP/3 QUIC module (ngx http v3 module) of NGINX Plus and NGINX OSS. This can be exploited by a remote attacker using specially crafted HTTP/3 requests, potentially allowing unauthorized access to protected information. The vulnerability is particularly relevant when the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, as undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory. **Recommendations** For NGINX Plus, consider disabling the HTTP/3 QUIC module until a patch is available. For NGINX OSS, consider disabling the HTTP/3 QUIC module until a patch is available. As a temporary workaround, restrict the Maximum Transmission Unit (MTU) to less than 4096 to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NGINX Plus (affected versions not specified) NGINX OSS (affected versions not specified) **Description** The issue is related to the HTTP/3 QUIC module in NGINX Plus and NGINX OSS. It involves undisclosed HTTP/3 encoder instructions that can cause NGINX worker processes to terminate or have other potential impacts. The vulnerability is also described as a buffer overflow in memory, which can be exploited by a remote attacker using specially crafted HTTP/3 requests to cause a denial of service. **Recommendations** For NGINX Plus, consider disabling the HTTP/3 QUIC module until a patch is available. For NGINX OSS, consider disabling the HTTP/3 QUIC module until a patch is available. As a temporary workaround, restrict access to the `ngx http v3 module` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NGINX Plus (affected versions not specified) NGINX OSS (affected versions not specified) **Description** The issue is related to a null pointer dereference in the HTTP/3 QUIC module (ngx http v3 module) of NGINX Plus and NGINX OSS. This can be exploited by a remote attacker using specially crafted HTTP/3 requests, potentially leading to a denial of service. When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NGINX Plus (affected versions not specified) NGINX OSS (affected versions not specified) **Description** The issue is related to a buffer overflow in the stack of the HTTP/3 QUIC module (ngx http v3 module) in NGINX Plus and NGINX OSS. This can be exploited by a remote attacker using specially crafted HTTP/3 requests, potentially causing denial of service or other impact. The attack requires specific timing during the connection draining process, which is difficult for the attacker to control. **Recommendations** For NGINX Plus, consider disabling the HTTP/3 QUIC module until a patch is available. For NGINX OSS, consider disabling the HTTP/3 QUIC module until a patch is available. As a temporary workaround, restrict access to the `ngx http v3 module` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DCMTK versions prior to 3.6.9 **Description** The issue is related to a segmentation fault in dcmnet, a component of DCMTK, which occurs when an invalid DIMSE message is received. **Recommendations** For versions prior to 3.6.9, update to version 3.6.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** DCMTK versions prior to 3.6.9 **Description** The issue is related to a segmentation fault in the dcmdata component of the DCMTK library, which can be triggered by an invalid DIMSE message. This can potentially allow a remote attacker to cause a denial of service. **Recommendations** For versions prior to 3.6.9, update to version 3.6.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the dcmdata component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gnuplot version 5.2.5 **Description** An issue in datafile.c allows an attacker to conduct a heap-based buffer overflow with an arbitrary amount of data in `df generate ascii array entry()`. This can be exploited by passing an overlong string as the right bound of the range argument to the `plot()` function. **Recommendations** For Gnuplot version 5.2.5, as a temporary workaround, consider restricting the input to the `plot()` function to prevent overlong strings from being passed as the right bound of the range argument. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gnuplot version 5.2.5 **Description** A buffer overflow issue exists due to a missing size check of an argument passed to the `set font` function, specifically in the `cairotrm options` function when the Gnuplot pngcairo terminal is used as a backend. This allows an attacker to conduct a buffer overflow with an arbitrary amount of data. **Recommendations** For Gnuplot version 5.2.5, consider disabling the `cairotrm options` function or restricting the use of the pngcairo terminal as a backend until a patch is available. Avoid using the `set font` function with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gnuplot version 5.2.5 **Description** An issue in Gnuplot allows an attacker to conduct a buffer overflow with an arbitrary amount of data in the `PS options` function. This flaw is caused by a missing size check of an argument passed to the `set font` function. The issue occurs when the Gnuplot postscript terminal is used as a backend. **Recommendations** For Gnuplot version 5.2.5, consider disabling the `PS options` function or restricting the use of the postscript terminal as a backend until a patch is available. Avoid using the `set font` function with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.