Mozilla Foundation Security Advisory 2016-15

Use-after-free in NSS during SSL connections in low memory

Announced
January 26, 2016
Reporter
Eric Rescorla
Impact
Moderate
Products
Firefox, Firefox ESR, NSS
Fixed in
  • Firefox 44
  • Firefox ESR 38.8
  • NSS 3.19.2.4
  • NSS 3.21

Description

Mozilla developer Eric Rescorla reported that a failed allocation during DHE and ECDHE handshakes would lead to a use-after-free vulnerability.

References