What is CVE-2019-11759?

CVE-2019-11759 is a vulnerability that could allow an attacker to execute arbitrary code or cause a crash by writing 4 bytes of HMAC output past the end of a buffer stored on the stack.

Which software versions are affected by CVE-2019-11759?

Firefox versions earlier than 70, Thunderbird versions earlier than 68.2, and Firefox ESR versions earlier than 68.2 are affected by CVE-2019-11759.

What is the severity of CVE-2019-11759?

CVE-2019-11759 has a high severity rating of 8.8.

How can this vulnerability be fixed?

To fix CVE-2019-11759, update Firefox to version 70 or later, Thunderbird to version 68.2 or later, and Firefox ESR to version 68.2 or later.

Where can I find more information about CVE-2019-11759?

More information about CVE-2019-11759 can be found in the following references: [Mozilla Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1577953), [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/), [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/).

Vulnerability/
CVE-2019-11759

high

8.8

CWE

120

22/10/2019

1/2/2023

CVE-2019-11759

First published: Tue Oct 22 2019(Updated: )

A flaw was discovered in both Firefox and Thunderbird where 4 bytes of a HMAC output could be written past the end of a buffer stored on the memory stack. This could allow an attacker to execute arbitrary code or lead to a crash. This flaw can be exploited over the network.

Credit: security@mozilla.org security@mozilla.org

Affected Software	Affected Version	How to fix
redhat/firefox	<0:68.2.0-4.el6_10	0:68.2.0-4.el6_10
redhat/thunderbird	<0:68.2.0-2.el6_10	0:68.2.0-2.el6_10
redhat/firefox	<0:68.2.0-1.el7_7	0:68.2.0-1.el7_7
redhat/thunderbird	<0:68.2.0-1.el7_7	0:68.2.0-1.el7_7
redhat/firefox	<0:68.2.0-2.el8_0	0:68.2.0-2.el8_0
redhat/thunderbird	<0:68.2.0-1.el8_0	0:68.2.0-1.el8_0
redhat/firefox	<68.2	68.2
redhat/thunderbird	<68.2	68.2
Mozilla Thunderbird	<68.2	68.2
Mozilla Firefox ESR	<68.2	68.2
Mozilla Firefox	<70	70
Mozilla Firefox	<70.0
Mozilla Firefox ESR	<68.2
Mozilla Thunderbird	<68.2
Canonical Ubuntu Linux	=16.04
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0+	70.0+
ubuntu/firefox	<70.0	70.0
ubuntu/firefox	<70.0+	70.0+
ubuntu/thunderbird	<1:68.2.1+	1:68.2.1+
ubuntu/thunderbird	<1:68.2.1+	1:68.2.1+
ubuntu/thunderbird	<1:68.2.0+	1:68.2.0+
ubuntu/thunderbird	<1:68.2.0+	1:68.2.0+
ubuntu/thunderbird	<1:68.2.0+	1:68.2.0+
ubuntu/thunderbird	<1:68.2.0+	1:68.2.0+
ubuntu/thunderbird	<1:68.2.0+	1:68.2.0+
ubuntu/thunderbird	<1:68.2.0+	1:68.2.0+
ubuntu/thunderbird	<1:68.2.0+	1:68.2.0+
ubuntu/thunderbird	<1:68.2.0+	1:68.2.0+
ubuntu/thunderbird	<1:68.2.0+	1:68.2.0+
ubuntu/thunderbird	<68.2	68.2
ubuntu/thunderbird	<1:68.7.0+	1:68.7.0+
debian/firefox		125.0.3-1
debian/firefox-esr		91.12.0esr-1~deb10u1 115.10.0esr-1~deb10u1 115.7.0esr-1~deb11u1 115.10.0esr-1~deb11u1 115.7.0esr-1~deb12u1 115.10.0esr-1~deb12u1 115.10.0esr-1
debian/thunderbird		1:91.12.0-1~deb10u1 1:115.10.1-1~deb10u1 1:115.7.0-1~deb11u1 1:115.10.1-1~deb11u1 1:115.7.0-1~deb12u1 1:115.10.1-1~deb12u1 1:115.10.1-1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

What is CVE-2019-11759?
CVE-2019-11759 is a vulnerability that could allow an attacker to execute arbitrary code or cause a crash by writing 4 bytes of HMAC output past the end of a buffer stored on the stack.
Which software versions are affected by CVE-2019-11759?
Firefox versions earlier than 70, Thunderbird versions earlier than 68.2, and Firefox ESR versions earlier than 68.2 are affected by CVE-2019-11759.
What is the severity of CVE-2019-11759?
CVE-2019-11759 has a high severity rating of 8.8.
How can this vulnerability be fixed?
To fix CVE-2019-11759, update Firefox to version 70 or later, Thunderbird to version 68.2 or later, and Firefox ESR to version 68.2 or later.
Where can I find more information about CVE-2019-11759?
More information about CVE-2019-11759 can be found in the following references: [Mozilla Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1577953), [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/), [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/).

collector/redhat-cve
agent/type
agent/last-modified-date
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/author
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2019-11759
agent/software-canonical-lookup
collector/mozilla-advisory
source/Mozilla
agent/description
agent/severity
agent/weakness
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
collector/nvd-index
agent/event
agent/references
agent/tags
collector/usn-cve
source/Ubuntu
agent/softwarecombine
collector/security-tracker-debian
source/Debian
package-manager/redhat
vendor/mozilla
canonical/mozilla thunderbird
canonical/mozilla firefox esr
canonical/mozilla firefox
vendor/canonical
canonical/canonical ubuntu linux
version/canonical ubuntu linux/16.04
package-manager/ubuntu
package-manager/debian