CVE-2021-29988 – This vulnerability in Firefox and Thunderbird i... (How to Fix)

Q: How do I fix CVE-2021-29988?

1. Open Firefox/Thunderbird. 2. Go to Menu > Help > About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

Q: What is the severity of CVE-2021-29988?

CVE-2021-29988 has a CVSS score of 8.8 (HIGH). This vulnerability in Firefox and Thunderbird involves incorrect handling of inline list-item elements as block elements, leading to out-of-bounds memory reads or corruption. Attackers could exploit this to cause crashes or potentially execute arbitrary code. It affects Firefox versions before 91, Firefox ESR before 78.13, and Thunderbird before 78.13 or 91.

📋 TL;DR

This vulnerability in Firefox and Thunderbird involves incorrect handling of inline list-item elements as block elements, leading to out-of-bounds memory reads or corruption. Attackers could exploit this to cause crashes or potentially execute arbitrary code. It affects Firefox versions before 91, Firefox ESR before 78.13, and Thunderbird before 78.13 or 91.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird

Versions: Firefox < 91, Firefox ESR < 78.13, Thunderbird < 78.13, Thunderbird < 91

Operating Systems: Windows, Linux, macOS, Other platforms supported by Firefox/Thunderbird

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special settings required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or malware installation.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption that could be leveraged for further exploitation.

🟢

If Mitigated

No impact if patched versions are deployed or vulnerable browsers are not used.

🌐 Internet-Facing: HIGH - Web browsers process untrusted content from the internet, making exploitation trivial via malicious websites.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal sites, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user to visit a malicious website or open a crafted email (for Thunderbird). No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 91, Firefox ESR 78.13, Thunderbird 78.13, Thunderbird 91

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-33/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Go to Menu > Help > About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious scripts that could trigger the vulnerability.

about:config -> javascript.enabled = false

Use Content Security Policy

all

Restrict inline styles and scripts via CSP headers on web servers.

Content-Security-Policy: default-src 'self'

🧯 If You Can't Patch

Restrict browser usage to trusted websites only via network policies or proxy filtering.
Deploy application whitelisting to prevent execution of unpatched browser versions.

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird dialog. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version or thunderbird --version on Linux/macOS; check About dialog on Windows.

Verify Fix Applied:

Confirm version is Firefox ≥91, Firefox ESR ≥78.13, Thunderbird ≥78.13 or ≥91 after update.

📡 Detection & Monitoring

Log Indicators:

Browser crash reports with memory corruption signatures
Unexpected process termination of firefox/thunderbird

Network Indicators:

Requests to known malicious domains hosting exploit code
Unusual outbound connections after browser crash

SIEM Query:

process_name IN ('firefox', 'thunderbird') AND event_type='crash'

📊 Metadata

CVE ID: CVE-2021-29988

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: August 17, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1717922 Exploit,Issue Tracking,Vendor Advisory
https://security.gentoo.org/glsa/202202-03 Third Party Advisory
https://security.gentoo.org/glsa/202208-14 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-33/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-34/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-35/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-36/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1717922 Exploit,Issue Tracking,Vendor Advisory
https://security.gentoo.org/glsa/202202-03 Third Party Advisory
https://security.gentoo.org/glsa/202208-14 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-33/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-34/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-35/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-36/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29988, you might also want to check these: