CVE-2023-5728 – A use-after-free vulnerability in Firefox, Fire... (How to Fix)

Q: How do I fix CVE-2023-5728?

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart application when prompted.

Q: What is the severity of CVE-2023-5728?

CVE-2023-5728 has a CVSS score of 7.5 (HIGH). A use-after-free vulnerability in Firefox, Firefox ESR, and Thunderbird garbage collection could allow attackers to cause a crash or potentially execute arbitrary code. This affects users running vulnerable versions of these Mozilla applications. The vulnerability occurs when garbage collection performs operations on objects that should no longer be accessible.

📋 TL;DR

A use-after-free vulnerability in Firefox, Firefox ESR, and Thunderbird garbage collection could allow attackers to cause a crash or potentially execute arbitrary code. This affects users running vulnerable versions of these Mozilla applications. The vulnerability occurs when garbage collection performs operations on objects that should no longer be accessible.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 119, Firefox ESR < 115.4, Thunderbird < 115.4.1

Operating Systems: All platforms where affected versions run

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or malware installation.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption leading to unstable behavior.

🟢

If Mitigated

No impact if patched versions are deployed or vulnerable applications are not used.

🌐 Internet-Facing: HIGH - Web browsers process untrusted content from the internet, making them prime targets.

🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal websites or documents.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploitation requires triggering specific garbage collection conditions. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 119+, Firefox ESR 115.4+, Thunderbird 115.4.1+

Vendor Advisory: https://bugzilla.mozilla.org/show_bug.cgi?id=1852729

Restart Required: Yes

Instructions:

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious JavaScript that could trigger the vulnerability.

about:config -> javascript.enabled = false

Use alternative browser

all

Temporarily switch to a non-vulnerable browser until patches are applied.

🧯 If You Can't Patch

Restrict access to untrusted websites and email content
Implement application whitelisting to prevent execution of vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check application version in Help > About Firefox/Thunderbird and compare to affected versions.

Check Version:

firefox --version | thunderbird --version

Verify Fix Applied:

Confirm version is Firefox 119+, Firefox ESR 115.4+, or Thunderbird 115.4.1+.

📡 Detection & Monitoring

Log Indicators:

Application crash logs with memory access violations
Unexpected termination of Firefox/Thunderbird processes

Network Indicators:

Unusual outbound connections following browser crashes

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="firefox.exe" OR ProcessName="thunderbird.exe"

📊 Metadata

CVE ID: CVE-2023-5728

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: October 25, 2023

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1852729 Issue Tracking,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html Mailing List,Third Party Advisory
https://www.debian.org/security/2023/dsa-5535 Mailing List,Third Party Advisory
https://www.debian.org/security/2023/dsa-5538 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2023-45/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-46/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-47/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1852729 Issue Tracking,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html Mailing List,Third Party Advisory
https://www.debian.org/security/2023/dsa-5535 Mailing List,Third Party Advisory
https://www.debian.org/security/2023/dsa-5538 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2023-45/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-46/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-47/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5728, you might also want to check these: