Mozilla Foundation Security Advisory 2021-02

Security Vulnerabilities fixed in Thunderbird 78.6.1

Announced
January 11, 2021
Impact
critical
Products
Thunderbird
Fixed in
  • Thunderbird 78.6.1

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2020-16044: Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk

Reporter
Ned Williamson
Impact
critical
Description

A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code.

References