Login Sign Up

CVE-2023-4582

8.8 HIGH
Buffer Overflow

📋 TL;DR

This vulnerability allows buffer overflow attacks in Firefox on macOS due to insufficient memory allocation checks in Angle's GLSL shader processing. Attackers could exploit this to execute arbitrary code or crash the browser. Only Firefox, Firefox ESR, and Thunderbird on macOS are affected.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 117, Firefox ESR < 115.2, Thunderbird < 115.2
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS systems. Windows and Linux systems are not vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption

🟢

If Mitigated

No impact if patched versions are deployed

🌐 Internet-Facing: HIGH - Web browsers are directly exposed to malicious web content
🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal sites or emails

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious GLSL shaders, but no public exploits are known

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 117+, Firefox ESR 115.2+, Thunderbird 115.2+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2023-34/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart browser when prompted.

🔧 Temporary Workarounds

Disable WebGL

all

Prevents GLSL shader execution which mitigates the vulnerability

about:config → webgl.disabled → true

Use alternative browser

all

Temporarily switch to Chrome, Safari, or other browsers until patched

🧯 If You Can't Patch

  • Restrict access to untrusted websites and disable JavaScript where possible
  • Implement network filtering to block malicious web content

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird menu

Check Version:

Firefox: about:support → Application Basics → Version. Thunderbird: Help → About Thunderbird

Verify Fix Applied:

Confirm version is Firefox ≥117, Firefox ESR ≥115.2, or Thunderbird ≥115.2

📡 Detection & Monitoring

Log Indicators:

  • Browser crash reports
  • Memory allocation failures in system logs

Network Indicators:

  • Unusual web traffic to sites hosting WebGL content

SIEM Query:

source="firefox.log" AND ("crash" OR "segfault" OR "memory")

📊 Metadata

CVE ID: CVE-2023-4582
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: September 11, 2023
Last Updated: December 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4582, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)