CVE-2016-1978

HIGH

Firefox < 43.0.4 - Use-After-Free in ssl3_HandleECDHServerKeyExchange

Title source: llm
STIX 2.1

Description

Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption.

References (20)

Core 20
Core References
Various Sources x_refsource_confirm
https://bto.bluecoat.com/security-advisory/sa124
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3688
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0684.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0685.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/84275
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2973-1
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0591.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035258
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91787
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1209546
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201605-06

Scores

CVSS v3 7.3
EPSS 0.0246
EPSS Percentile 85.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

Status published
Products (2)
mozilla/firefox < 43.0.4
mozilla/network_security_services < 3.20.1
Published Mar 13, 2016
Tracked Since Feb 18, 2026