Use-After-Free Vulnerability in Mozilla Network Security Services Affecting Firefox
CVE-2016-1978

7.3HIGH

Key Information:

Vendor

Mozilla
Status
Firefox
Network Security Services
Vendor
CVE Published:
13 March 2016

What is CVE-2016-1978?

A use-after-free vulnerability exists in the ssl3_HandleECDHServerKeyExchange function within Mozilla Network Security Services (NSS), affecting versions prior to 3.21. This flaw can be exploited during a DHE or ECDHE SSL handshake, particularly under conditions of high memory consumption. Attackers can potentially cause a denial of service or achieve other unspecified impacts on applications utilizing affected versions of NSS or Firefox.

References

https://bto.bluecoat.com/security-advisory/sa124
x_refsource_CONFIRM
http://www.oracle.com/technetwork/topics/security/ovmbull...
x_refsource_CONFIRM
http://www.debian.org/security/2016/dsa-3688
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.