CVE-2022-45409: Use After Free

Reference Links

• https://bugzilla.mozilla.org/show_bug.cgi?id=1796901
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/
• https://www.mozilla.org/security/advisories/mfsa2022-47/
• https://www.mozilla.org/security/advisories/mfsa2022-48/
• https://www.mozilla.org/security/advisories/mfsa2022-49/

Parent vulnerabilities

(Appears in the following advisories)

• MFSA2022-49
• MFSA2022-48
• MFSA2022-47

Peer vulnerabilities

(Found alongside the following vulnerabilities)

• CVE-2022-45403
• CVE-2022-45404
• CVE-2022-45405
• CVE-2022-45406
• CVE-2022-45408
• CVE-2022-45409
• CVE-2022-45410
• CVE-2022-45411
• CVE-2022-45412
• CVE-2022-45416
• CVE-2022-45418
• CVE-2022-45420
• CVE-2022-45421
• CVE-2022-45407
• CVE-2022-45413
• CVE-2022-40674
• CVE-2022-45415
• CVE-2022-45417
• CVE-2022-46882
• CVE-2022-45419
• CVE-2022-46883

Frequently Asked Questions

• What is the vulnerability ID of this issue?

  The vulnerability ID of this issue is CVE-2022-45409.

• Which software versions are affected by this vulnerability?

  This vulnerability affects Mozilla Thunderbird versions up to and excluding 102.5, Mozilla Firefox versions up to and excluding 107, and Mozilla Firefox ESR versions up to and excluding 102.5.

• What is the severity rating of CVE-2022-45409?

  CVE-2022-45409 has a severity rating of 8.8 (high).

• What is the description of this vulnerability?

  The garbage collector could have been aborted in several states and GCRuntime::finishCollection may not have been called, leading to a use-after-free and potentially exploitable crash.

• How can I fix this vulnerability?

  To fix this vulnerability, update Mozilla Thunderbird to version 102.5 or higher, update Mozilla Firefox to version 107 or higher, or update Mozilla Firefox ESR to version 102.5 or higher.