CVE-2014-1525: Use After Free
First published: Wed Apr 30 2014(Updated: )
The mozilla::dom::TextTrack::AddCue function in Mozilla Firefox before 29.0 and SeaMonkey before 2.26 does not properly perform garbage collection for Text Track Manager variables, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and heap memory corruption) via a crafted VIDEO element in an HTML document.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | <29.0 | |
| Mozilla SeaMonkey | <2.26 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =12.10 | |
| Ubuntu Linux | =13.10 | |
| Ubuntu Linux | =14.04 | |
| openSUSE | =12.3 | |
| openSUSE | =13.1 | |
| Fedoraproject Fedora | =19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html
- http://secunia.com/advisories/59866
- http://www.mozilla.org/security/announce/2014/mfsa2014-39.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securitytracker.com/id/1030163
- http://www.securitytracker.com/id/1030164
- http://www.ubuntu.com/usn/USN-2185-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=989210
- https://security.gentoo.org/glsa/201504-01
Frequently Asked Questions
What is the severity of CVE-2014-1525?
CVE-2014-1525 has a high severity rating, allowing remote attackers to execute arbitrary code or cause a denial of service.
How do I fix CVE-2014-1525?
To fix CVE-2014-1525, upgrade Mozilla Firefox to version 29.0 or later, or SeaMonkey to version 2.26 or later.
Which software versions are affected by CVE-2014-1525?
CVE-2014-1525 affects Mozilla Firefox versions before 29.0 and SeaMonkey versions before 2.26, along with certain versions of Ubuntu and openSUSE.
What types of attacks can exploit CVE-2014-1525?
CVE-2014-1525 can be exploited to execute arbitrary code or lead to denial of service due to use-after-free and improper memory management.
Is there a workaround for CVE-2014-1525?
There are no specific workarounds for CVE-2014-1525; updating to the latest software version is the recommended action.
- agent/type
- agent/severity
- agent/author
- agent/remedy
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/mozilla
- canonical/mozilla firefox
- canonical/mozilla seamonkey
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/12.10
- version/ubuntu linux/13.10
- version/ubuntu linux/14.04
- vendor/opensuse
- canonical/opensuse
- version/opensuse/12.3
- version/opensuse/13.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/19