{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-46881", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2024-08-03T14:39:38.732Z", "dateReserved": "2022-12-09T00:00:00", "datePublished": "2022-12-22T00:00:00"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "106", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "102.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "102.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash.\n*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox < 106, Firefox ESR < 102.6, and Thunderbird < 102.6.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash.<br />*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox < 106, Firefox ESR < 102.6, and Thunderbird < 102.6."}]}], "problemTypes": [{"descriptions": [{"description": "Memory corruption in WebGL", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770930"}, {"name": "GLSA-202305-06", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202305-06"}, {"name": "GLSA-202305-13", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202305-13"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-44/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-52/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-53/"}], "credits": [{"lang": "en", "value": "Karl and an Anonymous ASAN Nightly User"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2023-09-13T10:36:40.873Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.732Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770930", "tags": ["x_transferred"]}, {"name": "GLSA-202305-06", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202305-06"}, {"name": "GLSA-202305-13", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202305-13"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-44/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-52/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-53/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "181587B4-3F8B-4B6F-8791-0323506EC07F", "versionEndExcluding": "106.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2521C8C-7745-4B25-9B20-6C3AFC1D7AF7", "versionEndExcluding": "102.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "895D09F3-D06C-42F6-9937-A6DDCE741FED", "versionEndExcluding": "102.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash.\n*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox < 106, Firefox ESR < 102.6, and Thunderbird < 102.6."}, {"lang": "es", "value": "Una optimizaci\u00f3n en WebGL era incorrecta en algunos casos, y podr\u00eda haber provocado da\u00f1os en la memoria y un bloqueo potencialmente explotable. *Nota*: Este aviso se agreg\u00f3 el 13 de diciembre de 2022 despu\u00e9s de que entendi\u00e9ramos mejor el impacto del problema. La correcci\u00f3n se incluy\u00f3 en la versi\u00f3n original de Firefox 106. Esta vulnerabilidad afecta a Firefox &lt; 106, Firefox ESR &lt; 102.6 y Thunderbird &lt; 102.6."}], "id": "CVE-2022-46881", "lastModified": "2023-09-13T11:15:09.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-22T20:15:47.547", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770930"}, {"source": "security@mozilla.org", "url": "https://security.gentoo.org/glsa/202305-06"}, {"source": "security@mozilla.org", "url": "https://security.gentoo.org/glsa/202305-13"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-44/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-52/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-53/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Karl and an Anonymous ASAN Nightly User as the original reporter.", "affected_release": [{"advisory": "RHSA-2022:9072", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:102.6.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9079", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:102.6.0-2.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9067", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:102.6.0-1.el8_7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9074", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:102.6.0-2.el8_7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9071", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "firefox-0:102.6.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9077", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:102.6.0-2.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9070", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:102.6.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9076", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:102.6.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9070", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "firefox-0:102.6.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9076", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "thunderbird-0:102.6.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9070", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "firefox-0:102.6.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9076", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "thunderbird-0:102.6.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9069", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "firefox-0:102.6.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9075", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:102.6.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9068", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "firefox-0:102.6.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9078", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "thunderbird-0:102.6.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9065", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:102.6.0-1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9080", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:102.6.0-2.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9066", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "firefox-0:102.6.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:9081", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "thunderbird-0:102.6.0-2.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2022-12-15T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Memory corruption in WebGL", "id": "2153466", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153466"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-119", "details": ["An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash.\n*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox < 106, Firefox ESR < 102.6, and Thunderbird < 102.6.", "The Mozilla Foundation Security Advisory describes this flaw as:\nAn optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash."], "name": "CVE-2022-46881", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2022-12-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-46881\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-46881\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-52/#CVE-2022-46881\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-53/#CVE-2022-46881"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important", "upstream_fix": "thunderbird 102.6, firefox 102.6"}