CVE-2021-43539 – A use-after-free vulnerability in Mozilla's Web... (How to Fix)

Q: How do I fix CVE-2021-43539?

1. Open the application. 2. Go to Help > About. 3. Allow automatic update. 4. Restart when prompted.

Q: What is the severity of CVE-2021-43539?

CVE-2021-43539 has a CVSS score of 8.8 (HIGH). A use-after-free vulnerability in Mozilla's WebAssembly (wasm) implementation could allow an attacker to cause memory corruption and potentially execute arbitrary code. This affects Thunderbird, Firefox ESR, and Firefox when processing malicious web content. Users of outdated versions are at risk.

📋 TL;DR

A use-after-free vulnerability in Mozilla's WebAssembly (wasm) implementation could allow an attacker to cause memory corruption and potentially execute arbitrary code. This affects Thunderbird, Firefox ESR, and Firefox when processing malicious web content. Users of outdated versions are at risk.

💻 Affected Systems

Products:

Mozilla Thunderbird
Mozilla Firefox ESR
Mozilla Firefox

Versions: Thunderbird < 91.4.0, Firefox ESR < 91.4.0, Firefox < 95

Operating Systems: Windows, Linux, macOS, Other platforms running affected versions

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. WebAssembly must be enabled (default).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption that could be leveraged for further exploitation.

🟢

If Mitigated

No impact if patched; unpatched systems with strict content filtering may still be vulnerable to targeted attacks.

🌐 Internet-Facing: HIGH - Web browsers and email clients regularly process untrusted content from the internet.

🏢 Internal Only: MEDIUM - Internal web applications using wasm could be leveraged, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious wasm content, but no public proof-of-concept has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 91.4.0, Firefox ESR 91.4.0, Firefox 95

Vendor Advisory: https://bugzilla.mozilla.org/show_bug.cgi?id=1739683

Restart Required: Yes

Instructions:

1. Open the application. 2. Go to Help > About. 3. Allow automatic update. 4. Restart when prompted.

🔧 Temporary Workarounds

Disable WebAssembly

all

Prevents execution of wasm content, mitigating the vulnerability but breaking functionality.

In Firefox/Thunderbird: Set javascript.options.wasm to false in about:config

🧯 If You Can't Patch

Restrict access to untrusted websites and email content.
Use application sandboxing or isolation techniques to limit potential damage.

🔍 How to Verify

Check if Vulnerable:

Check application version in Help > About. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version or thunderbird --version on Linux/macOS; check About dialog on Windows.

Verify Fix Applied:

Confirm version is Thunderbird ≥ 91.4.0, Firefox ESR ≥ 91.4.0, or Firefox ≥ 95.

📡 Detection & Monitoring

Log Indicators:

Application crash logs referencing wasm or memory corruption
Unexpected process termination

Network Indicators:

Unusual wasm module downloads or execution patterns

SIEM Query:

source="*browser.log" AND ("crash" OR "segfault") AND "wasm"

📊 Metadata

CVE ID: CVE-2021-43539

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 8, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1739683 Issue Tracking,Permissions Required,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202202-03 Third Party Advisory
https://security.gentoo.org/glsa/202208-14 Third Party Advisory
https://www.debian.org/security/2021/dsa-5026 Third Party Advisory
https://www.debian.org/security/2022/dsa-5034 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-52/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-53/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-54/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1739683 Issue Tracking,Permissions Required,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202202-03 Third Party Advisory
https://security.gentoo.org/glsa/202208-14 Third Party Advisory
https://www.debian.org/security/2021/dsa-5026 Third Party Advisory
https://www.debian.org/security/2022/dsa-5034 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2021-52/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-53/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-54/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43539, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Firefox by Mozilla

Firefox Esr by Mozilla

Thunderbird by Mozilla

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WebAssembly

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities