Login Sign Up

CVE-2021-29952

7.5 HIGH
Remote Code Execution

📋 TL;DR

A race condition in Firefox's Web Render components during destruction could lead to undefined behavior, potentially allowing arbitrary code execution through memory corruption. This affects Firefox desktop versions before 88.0.1 and Firefox for Android versions before 88.1.3.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Firefox for Android
Versions: Firefox < 88.0.1, Firefox for Android < 88.1.3
Operating Systems: Windows, macOS, Linux, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable; Web Render is enabled by default in supported configurations.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution allowing attacker to take full control of the affected system.

🟠

Likely Case

Browser crash or instability; successful exploitation requires significant effort.

🟢

If Mitigated

No impact if patched or if exploit attempts fail due to complexity.

🌐 Internet-Facing: HIGH - Web browsers are inherently internet-facing and process untrusted content.
🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal sites or documents.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploitation requires triggering a race condition during Web Render destruction, which is complex and may require multiple attempts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 88.0.1, Firefox for Android 88.1.3

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-20/

Restart Required: Yes

Instructions:

1. Open Firefox. 2. Click menu > Help > About Firefox. 3. Allow automatic update to version 88.0.1 or later. 4. Restart Firefox. For Android: Update via Google Play Store to version 88.1.3 or later.

🔧 Temporary Workarounds

Disable Web Render

all

Temporarily disable Web Render to mitigate the vulnerability (may impact performance).

Set gfx.webrender.all to false in about:config

🧯 If You Can't Patch

  • Restrict browser use to trusted websites only.
  • Implement application whitelisting to block Firefox execution.

🔍 How to Verify

Check if Vulnerable:

Check Firefox version via about:firefox or Help > About Firefox; if version is less than 88.0.1, it is vulnerable.

Check Version:

firefox --version (Linux/macOS) or check about:firefox (all platforms)

Verify Fix Applied:

Confirm version is 88.0.1 or later for Firefox, or 88.1.3 or later for Android.

📡 Detection & Monitoring

Log Indicators:

  • Browser crash logs referencing Web Render or race conditions
  • Unexpected process termination in system logs

Network Indicators:

  • Unusual outbound connections from Firefox process post-crash

SIEM Query:

source="firefox.log" AND ("crash" OR "WebRender")

📊 Metadata

CVE ID: CVE-2021-29952
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-362
Published: June 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29952, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)