Login Sign Up

CVE-2021-23994

8.8 HIGH

📋 TL;DR

This vulnerability allows attackers to exploit uninitialized WebGL framebuffers in Mozilla browsers, leading to memory corruption and potential arbitrary code execution. It affects users of Firefox ESR before 78.10, Thunderbird before 78.10, and Firefox before 88 who visit malicious websites.

💻 Affected Systems

Products:
  • Firefox ESR
  • Thunderbird
  • Firefox
Versions: Firefox ESR < 78.10, Thunderbird < 78.10, Firefox < 88
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations with WebGL enabled are vulnerable. WebGL is enabled by default in affected versions.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the browser process, potentially leading to full system compromise.

🟠

Likely Case

Browser crash or denial of service, with potential for limited code execution in browser sandbox.

🟢

If Mitigated

Minimal impact if browsers are fully patched or WebGL is disabled.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites without user interaction beyond visiting the site.
🏢 Internal Only: MEDIUM - Requires user to visit malicious internal sites or click malicious links.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires WebGL knowledge and memory corruption techniques. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox ESR 78.10+, Thunderbird 78.10+, Firefox 88+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-14/

Restart Required: Yes

Instructions:

1. Open browser settings 2. Go to Help > About Firefox/Thunderbird 3. Allow automatic update or download latest version from mozilla.org 4. Restart browser

🔧 Temporary Workarounds

Disable WebGL

all

Prevents exploitation by disabling the vulnerable WebGL component

about:config -> webgl.disabled = true

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement network filtering to block malicious WebGL content

🔍 How to Verify

Check if Vulnerable:

Check browser version in Help > About. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm browser version is Firefox ESR 78.10+, Thunderbird 78.10+, or Firefox 88+

📡 Detection & Monitoring

Log Indicators:

  • Browser crash logs with WebGL context
  • Memory access violation errors in browser logs

Network Indicators:

  • Unusual WebGL resource loading patterns
  • Suspicious JavaScript with WebGL API calls

SIEM Query:

source="browser_logs" AND ("WebGL" OR "framebuffer") AND ("crash" OR "access violation")

📊 Metadata

CVE ID: CVE-2021-23994
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-909
Published: June 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23994, you might also want to check these:

CVE-2022-22704 9.8

CVE-2022-22704 is a privilege escalation vulnerability in zabbix-agent2 on Alpine Linux that allows ...

Same vulnerability type (CWE-909)
CVE-2021-29980 8.8

This vulnerability involves uninitialized memory in a canvas object in Mozilla Thunderbird and Firef...

Same vulnerability type (CWE-909)
CVE-2024-43873 7.8

This CVE addresses an uninitialized variable vulnerability in the Linux kernel's vhost/vsock subsyst...

Same vulnerability type (CWE-909)