Login Sign Up

CVE-2021-23954

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability involves a type confusion bug in JavaScript's logical assignment operators within switch statements, which can lead to memory corruption and potentially exploitable crashes. It affects users of Firefox, Thunderbird, and Firefox ESR on all operating systems. Attackers could exploit this to execute arbitrary code or cause denial of service.

💻 Affected Systems

Products:
  • Firefox
  • Thunderbird
  • Firefox ESR
Versions: Firefox < 85, Thunderbird < 78.7, Firefox ESR < 78.7
Operating Systems: Windows, macOS, Linux, All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable; no special settings required.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution allowing full system compromise, data theft, or malware installation.

🟠

Likely Case

Browser crash leading to denial of service or limited memory corruption.

🟢

If Mitigated

No impact if patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Web browsers are directly exposed to malicious web content.
🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal sites or emails.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires JavaScript execution; no public proof-of-concept was disclosed at advisory time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 85, Thunderbird 78.7, Firefox ESR 78.7

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-03/

Restart Required: Yes

Instructions:

1. Open the browser/application. 2. Go to Settings/Preferences > Help > About Firefox/Thunderbird. 3. Allow the application to check for and install updates. 4. Restart when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by blocking JavaScript execution, but breaks most web functionality.

In Firefox: about:config > javascript.enabled = false

🧯 If You Can't Patch

  • Restrict access to untrusted websites and disable JavaScript in email clients.
  • Use network filtering to block malicious content and monitor for crash reports.

🔍 How to Verify

Check if Vulnerable:

Check the version in the application's About dialog; if below the patched version, it is vulnerable.

Check Version:

On Linux: firefox --version | head -1; On Windows/macOS: Check via Help > About.

Verify Fix Applied:

Confirm the version is at or above Firefox 85, Thunderbird 78.7, or Firefox ESR 78.7.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected browser/application crashes, memory access errors in system logs

Network Indicators:

  • Unusual JavaScript payloads in web traffic, especially involving switch statements and logical assignments

SIEM Query:

source="firefox.log" AND (event="crash" OR event="memory_error")

📊 Metadata

CVE ID: CVE-2021-23954
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: February 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23954, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2020-25575 9.8

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw...

Same vulnerability type (CWE-843)