Login Sign Up

CVE-2021-29946

8.8 HIGH

📋 TL;DR

This vulnerability allows attackers to bypass port blocking restrictions by crafting Alt-Svc headers with integer overflow values above 65535. It affects Firefox, Firefox ESR, and Thunderbird users running vulnerable versions, potentially enabling connections to blocked ports.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 88, Firefox ESR < 78.10, Thunderbird < 78.10
Operating Systems: All platforms supported by affected browsers
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable; exploitation requires user to visit malicious website or content.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass network security controls to establish connections to malicious servers on blocked ports, potentially leading to data exfiltration or malware delivery.

🟠

Likely Case

Bypass of port blocking policies allowing connections to unauthorized services, though exploitation requires user interaction with malicious content.

🟢

If Mitigated

Limited impact if proper network segmentation and egress filtering are in place, though browser security controls would be bypassed.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to visit attacker-controlled content; no authentication needed beyond that.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 88, Firefox ESR 78.10, Thunderbird 78.10

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-14/

Restart Required: Yes

Instructions:

1. Open browser settings 2. Navigate to About/Help section 3. Allow browser to check for and install updates 4. Restart browser when prompted

🔧 Temporary Workarounds

Disable Alt-Svc header processing

all

Prevents browser from processing Alt-Svc headers entirely

about:config
Set network.http.altsvc.enabled to false

🧯 If You Can't Patch

  • Implement network-level port blocking at firewall/IPS
  • Use web proxy with strict URL filtering to block malicious sites

🔍 How to Verify

Check if Vulnerable:

Check browser version in About/Help menu and compare with affected versions

Check Version:

Browser-specific: Firefox/Thunderbird: about: or Help → About

Verify Fix Applied:

Verify browser version is Firefox ≥88, Firefox ESR ≥78.10, or Thunderbird ≥78.10

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound connections to non-standard ports from browsers
  • Alt-Svc headers with port values >65535

Network Indicators:

  • HTTP traffic with Alt-Svc headers containing large port numbers
  • Browser connections to unexpected ports

SIEM Query:

http.headers contains "Alt-Svc" AND (http.headers contains port >65535 OR http.dest_port >1024 AND http.dest_port not in allowed_ports)

📊 Metadata

CVE ID: CVE-2021-29946
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: June 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29946, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)