Login Sign Up

CVE-2023-5170

7.4 HIGH

📋 TL;DR

This vulnerability in Firefox's canvas rendering allows a compromised content process to cause unexpected surface changes, leading to memory leaks in privileged processes. Attackers could exploit these leaks to escape the browser sandbox and execute arbitrary code. It affects Firefox versions before 118.

💻 Affected Systems

Products:
  • Mozilla Firefox
Versions: All versions < 118
Operating Systems: Windows, Linux, macOS, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Firefox installations are vulnerable. Extensions or security settings do not mitigate this vulnerability.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full sandbox escape leading to arbitrary code execution with browser process privileges, potentially compromising the entire system.

🟠

Likely Case

Memory corruption leading to browser crashes or limited information disclosure from privileged memory regions.

🟢

If Mitigated

Browser crash with no privilege escalation if sandbox protections hold or memory leaks contain non-sensitive data.

🌐 Internet-Facing: HIGH - Web browsers are directly exposed to malicious web content and JavaScript.
🏢 Internal Only: LOW - Requires user interaction with malicious content, not typically an internal network threat.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploitation requires specific memory manipulation and timing to achieve sandbox escape. No public exploits have been confirmed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 118 and later

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2023-41/

Restart Required: Yes

Instructions:

1. Open Firefox. 2. Click menu → Help → About Firefox. 3. Allow automatic update to version 118 or higher. 4. Restart Firefox when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents malicious JavaScript from exploiting the canvas rendering vulnerability

about:config → javascript.enabled = false

Use Alternative Browser

all

Temporarily switch to a non-vulnerable browser until Firefox is updated

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement application whitelisting to prevent unauthorized browser execution

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in about:about or via Help → About Firefox

Check Version:

firefox --version (Linux/macOS) or check About Firefox (Windows)

Verify Fix Applied:

Confirm Firefox version is 118 or higher in about:about

📡 Detection & Monitoring

Log Indicators:

  • Firefox crash reports with memory access violations
  • Unexpected browser process memory spikes

Network Indicators:

  • Requests to known malicious domains serving canvas-based exploits

SIEM Query:

source="firefox.log" AND ("crash" OR "memory" OR "access violation")

📊 Metadata

CVE ID: CVE-2023-5170
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CWE: CWE-401
Published: September 27, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5170, you might also want to check these:

CVE-2021-40633 8.8

CVE-2021-40633 is a memory leak vulnerability in gif2rgb, a utility in giflib 5.1.4, allowing remote...

Same vulnerability type (CWE-401)
CVE-2021-3492 8.8

CVE-2021-3492 is a kernel vulnerability in Ubuntu's Shiftfs filesystem where improper error handling...

Same vulnerability type (CWE-401)
CVE-2024-25450 8.8

CVE-2024-25450 is a memory allocation vulnerability in imlib2 v1.9.1's init_imlib_fonts() function t...

Same vulnerability type (CWE-401)