Mozilla Foundation Security Advisory 2016-72

Use-after-free in DTLS during WebRTC session shutdown

Announced
August 2, 2016
Reporter
Looben Yang
Impact
Critical
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 48
  • Firefox ESR 45.3

Description

Security researcher Looben Yang reported a use-after-free vulnerability in WebRTC. This occurs during WebRTC session shutdown when DTLS objects in memory are freed while still actively in use. This results in a potentially exploitable crash.

References