CVE-2021-29986
Mozilla: Race condition when resolving DNS names could have led to memory corruption
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
Una supuesta condición de carrera cuando se llama a getaddrinfo que conllevaba a una corrupción de la memoria y un bloqueo potencialmente explotable. *Nota: Este problema sólo afectaba a los sistemas operativos Linux. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 78.13, Thunderbird versiones anteriores a 91, Firefox ESR versiones anteriores a 78.13 y Firefox versiones anteriores a 91.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-04-01 CVE Reserved
- 2021-08-16 CVE Published
- 2024-05-02 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CAPEC
References (9)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1696138 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202202-03 | 2022-12-09 | |
| https://security.gentoo.org/glsa/202208-14 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-33 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-34 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-35 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-36 | 2022-12-09 | |
| https://access.redhat.com/security/cve/CVE-2021-29986 | 2021-08-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1992417 | 2021-08-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | < 91.0 Search vendor "Mozilla" for product "Firefox" and version " < 91.0" | - |
Affected
| in | Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | - | - |
Safe
|
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | < 78.13.0 Search vendor "Mozilla" for product "Firefox Esr" and version " < 78.13.0" | - |
Affected
| in | Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | - | - |
Safe
|
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | < 78.13.0 Search vendor "Mozilla" for product "Thunderbird" and version " < 78.13.0" | - |
Affected
| in | Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | - | - |
Safe
|