CVE-2016-1960: Use After Free
First published: Sun Mar 13 2016(Updated: )
Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) by leveraging mishandling of end tags, as demonstrated by incorrect SVG processing, aka ZDI-CAN-3545.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Linux | =5.0 | |
| Oracle Linux | =6 | |
| Oracle Linux | =7 | |
| Firefox | <=44.0.2 | |
| Firefox | =38.0 | |
| Firefox | =38.0.1 | |
| Firefox | =38.0.5 | |
| Firefox | =38.1.0 | |
| Firefox | =38.1.1 | |
| Firefox | =38.2.0 | |
| Firefox | =38.2.1 | |
| Firefox | =38.3.0 | |
| Firefox | =38.4.0 | |
| Firefox | =38.5.0 | |
| Firefox | =38.5.1 | |
| Firefox | =38.6.0 | |
| Firefox | =38.6.1 | |
| Thunderbird | <=38.6.0 | |
| SUSE Linux | =42.1 | |
| openSUSE | =13.1 | |
| openSUSE | =13.2 | |
| SUSE Linux Enterprise Server | =12.0 | |
| Firefox ESR | =38.0 | |
| Firefox ESR | =38.0.1 | |
| Firefox ESR | =38.0.5 | |
| Firefox ESR | =38.1.0 | |
| Firefox ESR | =38.1.1 | |
| Firefox ESR | =38.2.0 | |
| Firefox ESR | =38.2.1 | |
| Firefox ESR | =38.3.0 | |
| Firefox ESR | =38.4.0 | |
| Firefox ESR | =38.5.0 | |
| Firefox ESR | =38.5.1 | |
| Firefox ESR | =38.6.0 | |
| Firefox ESR | =38.6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00068.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00089.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00091.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00093.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00008.html
- http://www.debian.org/security/2016/dsa-3510
- http://www.debian.org/security/2016/dsa-3520
- http://www.mozilla.org/security/announce/2016/mfsa2016-23.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.securitytracker.com/id/1035215
- http://www.ubuntu.com/usn/USN-2917-1
- http://www.ubuntu.com/usn/USN-2917-2
- http://www.ubuntu.com/usn/USN-2917-3
- http://www.ubuntu.com/usn/USN-2934-1
- http://zerodayinitiative.com/advisories/ZDI-16-198/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1246014
- https://security.gentoo.org/glsa/201605-06
- https://www.exploit-db.com/exploits/42484/
- https://www.exploit-db.com/exploits/44294/
Frequently Asked Questions
What is the severity of CVE-2016-1960?
CVE-2016-1960 has a severity rating that indicates it can potentially allow remote code execution or cause a denial of service.
How do I fix CVE-2016-1960?
To fix CVE-2016-1960, users should update Mozilla Firefox or Mozilla Firefox ESR to the latest version that is not affected by this vulnerability.
Which versions of Mozilla Firefox are affected by CVE-2016-1960?
CVE-2016-1960 affects Mozilla Firefox versions before 45.0 and Mozilla Firefox ESR versions before 38.7.
Can CVE-2016-1960 allow attackers to execute arbitrary code?
Yes, CVE-2016-1960 can enable remote attackers to execute arbitrary code due to mishandling of end tags.
What systems are impacted by CVE-2016-1960?
CVE-2016-1960 impacts various systems running vulnerable versions of Mozilla Firefox and Mozilla Firefox ESR.
- agent/type
- agent/references
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- agent/author
- agent/last-modified-date
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- vendor/oracle
- canonical/oracle linux
- version/oracle linux/5.0
- version/oracle linux/6
- version/oracle linux/7
- vendor/mozilla
- canonical/firefox
- version/firefox/44.0.2
- version/firefox/38.0
- version/firefox/38.0.1
- version/firefox/38.0.5
- version/firefox/38.1.0
- version/firefox/38.1.1
- version/firefox/38.2.0
- version/firefox/38.2.1
- version/firefox/38.3.0
- version/firefox/38.4.0
- version/firefox/38.5.0
- version/firefox/38.5.1
- version/firefox/38.6.0
- version/firefox/38.6.1
- canonical/thunderbird
- version/thunderbird/38.6.0
- vendor/opensuse
- canonical/suse linux
- version/suse linux/42.1
- canonical/opensuse
- version/opensuse/13.1
- version/opensuse/13.2
- vendor/suse
- canonical/suse linux enterprise server
- version/suse linux enterprise server/12.0
- canonical/firefox esr
- version/firefox esr/38.0
- version/firefox esr/38.0.1
- version/firefox esr/38.0.5
- version/firefox esr/38.1.0
- version/firefox esr/38.1.1
- version/firefox esr/38.2.0
- version/firefox esr/38.2.1
- version/firefox esr/38.3.0
- version/firefox esr/38.4.0
- version/firefox esr/38.5.0
- version/firefox esr/38.5.1
- version/firefox esr/38.6.0
- version/firefox esr/38.6.1