PT-2022-4434 · Mozilla+10 · Thunderbird+11

Marian Laza

·

Published

2022-07-27

·

Updated

2024-06-15

·

CVE-2022-38476

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Firefox ESR versions prior to 102.2 Thunderbird versions prior to 102.2
Description A data race could occur in the PK11 ChangePW function, potentially leading to a use-after-free issue. This affects the protection of data when a user changes their master password. The vulnerability may allow a remote attacker to cause a denial of service.
Recommendations For Firefox ESR versions prior to 102.2, update to version 102.2 or later. For Thunderbird versions prior to 102.2, update to version 102.2 or later. As a temporary workaround, consider disabling the PK11 ChangePW function until a patch is available.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2022:6164
ALSA-2022:6165
ALSA-2022:6174
ALSA-2022:6175
ALT-PU-2022-2306
ALT-PU-2022-2496
ALT-PU-2022-2515
ALT-PU-2022-2929
ALT-PU-2022-2930
ALT-PU-2022-2931
ALT-PU-2023-1137
ALT-PU-2023-1138
ALT-PU-2023-1139
ALT-PU-2023-4335
ALT-PU-2023-4336
ALT-PU-2023-4339
BDU:2022-05298
CESA-2022_6164
CESA-2022_6169
CESA-2022_6175
CESA-2022_6179
CVE-2022-38476
OPENSUSE-SU-2022_3281-1
OPENSUSE-SU-2022_3396-1
OPENSUSE-SU-2024:12287-1
RHSA-2022:6164
RHSA-2022:6165
RHSA-2022:6166
RHSA-2022:6167
RHSA-2022:6168
RHSA-2022:6169
RHSA-2022:6174
RHSA-2022:6175
RHSA-2022:6176
RHSA-2022:6177
RHSA-2022:6178
RHSA-2022:6179
RHSA-2022_6164
RHSA-2022_6165
RHSA-2022_6169
RHSA-2022_6174
RHSA-2022_6175
RHSA-2022_6179
RLSA-2022:6164
RLSA-2022:6175
SUSE-SU-2022:3272-1
SUSE-SU-2022:3273-1
SUSE-SU-2022:3281-1
SUSE-SU-2022:3396-1
USN-5663-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Firefox Esr
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Thunderbird
Ubuntu