CVE-2019-11713

CRITICAL

Firefox < 68 and Firefox ESR < 60.8 - Use-After-Free in HTTP/2 Stream Handling

Title source: llm
STIX 2.1

Description

A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References (13)

Core 13
Core References
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1528481
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-12
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-20

Scores

CVSS v3 9.8
EPSS 0.0146
EPSS Percentile 81.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (2)
mozilla/firefox < 60.8.0
mozilla/thunderbird < 60.8.0
Published Jul 23, 2019
Tracked Since Feb 18, 2026