CVE-2022-45405: Use After Free

Reference Links

• https://bugzilla.mozilla.org/show_bug.cgi?id=1791314
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/
• https://www.mozilla.org/security/advisories/mfsa2022-47/
• https://www.mozilla.org/security/advisories/mfsa2022-48/
• https://www.mozilla.org/security/advisories/mfsa2022-49/

Parent vulnerabilities

(Appears in the following advisories)

• MFSA2022-49
• MFSA2022-48
• MFSA2022-47

Peer vulnerabilities

(Found alongside the following vulnerabilities)

• CVE-2022-45403
• CVE-2022-45404
• CVE-2022-45405
• CVE-2022-45406
• CVE-2022-45408
• CVE-2022-45409
• CVE-2022-45410
• CVE-2022-45411
• CVE-2022-45412
• CVE-2022-45416
• CVE-2022-45418
• CVE-2022-45420
• CVE-2022-45421
• CVE-2022-45407
• CVE-2022-45413
• CVE-2022-40674
• CVE-2022-45415
• CVE-2022-45417
• CVE-2022-46882
• CVE-2022-45419
• CVE-2022-46883

Frequently Asked Questions

• What is CVE-2022-45405?

  CVE-2022-45405 is a vulnerability that allows freeing arbitrary nsIInputStream's on a different thread than creation, leading to a use-after-free and potentially exploitable crash.

• Which software is affected by CVE-2022-45405?

  CVE-2022-45405 affects Firefox ESR versions before 102.5, Thunderbird versions before 102.5, and Firefox versions before 107.

• What is the severity of CVE-2022-45405?

  The severity of CVE-2022-45405 is high with a CVSS score of 6.5.

• How can CVE-2022-45405 be exploited?

  CVE-2022-45405 can be exploited by freeing arbitrary nsIInputStream's on a different thread than creation, causing a use-after-free vulnerability.

• How can I fix CVE-2022-45405?

  To fix CVE-2022-45405, update Firefox ESR to version 102.5 or later, Thunderbird to version 102.5 or later, or Firefox to version 107 or later.