Login Sign Up

CVE-2020-26959

8.8 HIGH

📋 TL;DR

This is a use-after-free vulnerability in Mozilla Firefox, Firefox ESR, and Thunderbird that occurs during browser shutdown. Attackers could exploit this to cause memory corruption and potentially execute arbitrary code. Users running affected versions of these applications are at risk.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Firefox ESR
  • Mozilla Thunderbird
Versions: Firefox < 83, Firefox ESR < 78.5, Thunderbird < 78.5
Operating Systems: Windows, Linux, macOS, Other platforms supported by affected applications
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or malware installation.

🟠

Likely Case

Browser crash or denial of service, potentially allowing limited information disclosure.

🟢

If Mitigated

No impact if patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Web browsers are inherently internet-facing and process untrusted content.
🏢 Internal Only: MEDIUM - Risk exists but may be lower if internal web content is controlled.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires triggering the use-after-free condition during browser shutdown, which may require specific timing or conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 83, Firefox ESR 78.5, Thunderbird 78.5

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2020-50/

Restart Required: Yes

Instructions:

1. Open the affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow the application to check for and install updates. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to reduce attack surface while patching.

about:config -> javascript.enabled = false

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement application whitelisting to prevent execution of malicious code

🔍 How to Verify

Check if Vulnerable:

Check application version in Help > About Firefox/Thunderbird. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version or thunderbird --version on Linux/macOS

Verify Fix Applied:

Confirm version is Firefox ≥83, Firefox ESR ≥78.5, or Thunderbird ≥78.5 after update.

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs with memory corruption signatures
  • Unexpected browser shutdown events

Network Indicators:

  • Unusual web requests preceding crashes

SIEM Query:

source="*firefox*" OR source="*thunderbird*" AND (event="crash" OR event="shutdown")

📊 Metadata

CVE ID: CVE-2020-26959
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: December 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26959, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)