Login Sign Up

CVE-2021-29984

8.8 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

This vulnerability involves a memory corruption flaw in Mozilla's JavaScript engine caused by instruction reordering during garbage collection. Attackers could exploit this to cause crashes or potentially execute arbitrary code. It affects Thunderbird email client and Firefox/ESR web browsers.

💻 Affected Systems

Products:
  • Mozilla Thunderbird
  • Mozilla Firefox
  • Mozilla Firefox ESR
Versions: Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, Firefox < 91
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. Requires JavaScript execution.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption that could be leveraged for further exploitation.

🟢

If Mitigated

No impact if systems are patched or isolated from untrusted content.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploitation requires triggering specific garbage collection patterns via crafted JavaScript.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 78.13+, Thunderbird 91+, Firefox ESR 78.13+, Firefox 91+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-33/

Restart Required: Yes

Instructions:

1. Open Thunderbird/Firefox. 2. Go to Help > About. 3. Allow automatic update. 4. Restart when prompted. For enterprise: Deploy updated packages via your management system.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by blocking JavaScript execution

In Firefox/Thunderbird: about:config > javascript.enabled = false

🧯 If You Can't Patch

  • Network segmentation to isolate vulnerable systems
  • Use application allowlisting to prevent execution of unpatched browsers

🔍 How to Verify

Check if Vulnerable:

Check version in Thunderbird: Help > About Thunderbird; Firefox: Help > About Firefox

Check Version:

On Linux: thunderbird --version | firefox --version

Verify Fix Applied:

Confirm version is Thunderbird ≥78.13 or ≥91, Firefox ESR ≥78.13, or Firefox ≥91

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs with memory access violations
  • Unexpected process termination

Network Indicators:

  • Unusual outbound connections from browser processes

SIEM Query:

EventID=1000 OR EventID=1001 (Windows Application Error) with process name thunderbird.exe or firefox.exe

📊 Metadata

CVE ID: CVE-2021-29984
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: August 17, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29984, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)