Vulnerability Details : CVE-2016-2811
Use-after-free vulnerability in the ServiceWorkerInfo class in the Service Worker subsystem in Mozilla Firefox before 46.0 allows remote attackers to execute arbitrary code via vectors related to the BeginReading method.
Vulnerability category: Memory CorruptionExecute code
Exploit prediction scoring system (EPSS) score for CVE-2016-2811
Probability of exploitation activity in the next 30 days: 5.45%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 92 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-2811
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
References for CVE-2016-2811
-
https://security.gentoo.org/glsa/201701-15
Mozilla Firefox, Thunderbird: Multiple vulnerabilities (GLSA 201701-15) — Gentoo security
-
http://www.ubuntu.com/usn/USN-2936-3
USN-2936-3: Firefox regression | Ubuntu security notices
-
http://www.securitytracker.com/id/1035692
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information - SecurityTracker
-
http://www.ubuntu.com/usn/USN-2936-2
USN-2936-2: Oxygen-GTK3 update | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html
openSUSE-SU-2016:1251-1: moderate: Security update to Firefox 46.0
-
http://www.mozilla.org/security/announce/2016/mfsa2016-42.html
Use-after-free and buffer overflow in Service Workers — MozillaVendor Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1252330
TreeStatus
-
http://www.ubuntu.com/usn/USN-2936-1
USN-2936-1: Firefox vulnerabilities | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html
[security-announce] openSUSE-SU-2016:1211-1: important: Security update
Products affected by CVE-2016-2811
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*