CVE-2016-2812 : Race condition in the get implementation in the ServiceWorkerManager class in th

Race condition in the get implementation in the ServiceWorkerManager class in the Service Worker subsystem in Mozilla Firefox before 46.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted web site.

Published 2016-04-30 17:59:10

Updated 2025-04-12 10:46:41

Source Mozilla Corporation

View at NVD, CVE.org

Vulnerability category: OverflowExecute codeDenial of service

Products affected by CVE-2016-2812

Mozilla » Firefox
Versions up to, including, (<=) 45.0.2
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-2812

EPSS FAQ

0.47%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 62 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-2812

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.1	MEDIUM	AV:N/AC:H/Au:N/C:P/I:P/A:P	4.9	6.4	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H	1.6	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-2812

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-2812

https://security.gentoo.org/glsa/201701-15

Mozilla Firefox, Thunderbird: Multiple vulnerabilities (GLSA 201701-15) — Gentoo security

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2936-3

USN-2936-3: Firefox regression | Ubuntu security notices

CVEs referencing this url
http://www.securitytracker.com/id/1035692

Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information - SecurityTracker

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2936-2

USN-2936-2: Oxygen-GTK3 update | Ubuntu security notices

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html

openSUSE-SU-2016:1251-1: moderate: Security update to Firefox 46.0

CVEs referencing this url
http://www.mozilla.org/security/announce/2016/mfsa2016-42.html

Use-after-free and buffer overflow in Service Workers — Mozilla
Vendor Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2936-1

USN-2936-1: Firefox vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1261776

Bugzilla.mozilla.org is offline
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html

[security-announce] openSUSE-SU-2016:1211-1: important: Security update

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-2812

Products affected by CVE-2016-2812

Exploit prediction scoring system (EPSS) score for CVE-2016-2812

CVSS scores for CVE-2016-2812

CWE ids for CVE-2016-2812

References for CVE-2016-2812