CVE-2021-29986 – A race condition in the getaddrinfo function in... (How to Fix)

Q: How do I fix CVE-2021-29986?

1. Update Thunderbird to version 78.13 or 91+ via built-in updater or package manager. 2. Update Firefox to version 91+ or Firefox ESR to 78.13+ via built-in updater or package manager. 3. Restart the application after update.

Q: What is the severity of CVE-2021-29986?

CVE-2021-29986 has a CVSS score of 8.1 (HIGH). A race condition in the getaddrinfo function in Mozilla Thunderbird and Firefox on Linux systems could cause memory corruption and lead to a potentially exploitable crash. This vulnerability could allow attackers to execute arbitrary code or cause denial of service. It affects Thunderbird versions before 78.13 and 91, and Firefox ESR before 78.13 and Firefox before 91.

📋 TL;DR

A race condition in the getaddrinfo function in Mozilla Thunderbird and Firefox on Linux systems could cause memory corruption and lead to a potentially exploitable crash. This vulnerability could allow attackers to execute arbitrary code or cause denial of service. It affects Thunderbird versions before 78.13 and 91, and Firefox ESR before 78.13 and Firefox before 91.

💻 Affected Systems

Products:

Mozilla Thunderbird
Mozilla Firefox
Mozilla Firefox ESR

Versions: Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, Firefox < 91

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Linux operating systems. Other OS like Windows and macOS are unaffected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or installation of persistent malware.

🟠

Likely Case

Application crash causing denial of service, potentially leading to data loss or disruption of email/browsing services.

🟢

If Mitigated

Limited impact with proper network segmentation and application sandboxing, potentially just application restart required.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Race conditions are difficult to exploit reliably, requiring precise timing. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 78.13, Thunderbird 91, Firefox ESR 78.13, Firefox 91

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-33/

Restart Required: Yes

Instructions:

1. Update Thunderbird to version 78.13 or 91+ via built-in updater or package manager. 2. Update Firefox to version 91+ or Firefox ESR to 78.13+ via built-in updater or package manager. 3. Restart the application after update.

🔧 Temporary Workarounds

Disable automatic DNS resolution

linux

Configure applications to use static DNS entries or disable certain network features that trigger getaddrinfo calls.

Network filtering

all

Use firewall rules to restrict network access to Thunderbird/Firefox instances, limiting exposure to malicious DNS responses.

🧯 If You Can't Patch

Restrict network access to vulnerable applications using host-based firewalls or network segmentation.
Monitor for abnormal application crashes or memory usage patterns that might indicate exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check application version in Thunderbird: Help > About Thunderbird; in Firefox: Help > About Firefox. Verify version is below patched versions.

Check Version:

thunderbird --version; firefox --version

Verify Fix Applied:

Confirm application version matches or exceeds Thunderbird 78.13/91, Firefox 91, or Firefox ESR 78.13.

📡 Detection & Monitoring

Log Indicators:

Application crash logs with segmentation fault or memory corruption errors
Unusual process termination of Thunderbird/Firefox

Network Indicators:

Suspicious DNS queries preceding application crashes
Unusual network traffic patterns to/from Thunderbird/Firefox instances

SIEM Query:

source="application_logs" AND (process="thunderbird" OR process="firefox") AND (event="crash" OR event="segmentation fault")

📊 Metadata

CVE ID: CVE-2021-29986

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

Published: August 17, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1696138 Exploit,Issue Tracking,Vendor Advisory
https://security.gentoo.org/glsa/202202-03 Third Party Advisory
https://security.gentoo.org/glsa/202208-14 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-33/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-34/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-35/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-36/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1696138 Exploit,Issue Tracking,Vendor Advisory
https://security.gentoo.org/glsa/202202-03 Third Party Advisory
https://security.gentoo.org/glsa/202208-14 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-33/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-34/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-35/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-36/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29986, you might also want to check these: