{"api_version":"1","generated_at":"2026-04-23T04:11:59+00:00","cve":"CVE-2021-23978","urls":{"html":"https://cve.report/CVE-2021-23978","api":"https://cve.report/api/cve/CVE-2021-23978.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23978","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23978"},"summary":{"title":"CVE-2021-23978","description":"Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-02-26 16:15:00","updated_at":"2022-05-27 18:30:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202104-10","name":"GLSA-202104-10","refsource":"GENTOO","tags":[],"title":"Mozilla Firefox: Multiple vulnerabilities (GLSA 202104-10) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2021/dsa-4866","name":"DSA-4866","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-4866-1 thunderbird","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202104-09","name":"GLSA-202104-09","refsource":"GENTOO","tags":[],"title":"Mozilla Thunderbird: Multiple vulnerabilities (GLSA 202104-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-07/","name":"https://www.mozilla.org/security/advisories/mfsa2021-07/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Security Vulnerabilities fixed in Firefox 86 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-08/","name":"https://www.mozilla.org/security/advisories/mfsa2021-08/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Security Vulnerabilities fixed in Firefox ESR 78.8 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-09/","name":"https://www.mozilla.org/security/advisories/mfsa2021-09/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Security Vulnerabilities fixed in Thunderbird 78.8 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=786797%2C1682928%2C1687391%2C1687597","name":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=786797%2C1682928%2C1687391%2C1687597","refsource":"MISC","tags":["Broken Link","Issue Tracking","Vendor Advisory"],"title":"Bug List","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00000.html","name":"[debian-lts-announce] 20210301 [SECURITY] [DLA 2578-1] thunderbird security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 2578-1] thunderbird security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23978","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23978","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23978","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-23978","qid":"179542","title":"Debian Security Update for firefox-esrthunderbird (CVE-2021-23978)"},{"cve":"CVE-2021-23978","qid":"198355","title":"Ubuntu Security Notification for Thunderbird vulnerabilities (USN-4936-1)"},{"cve":"CVE-2021-23978","qid":"296069","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 31.88.5 Missing (CPUJAN2021)"},{"cve":"CVE-2021-23978","qid":"352250","title":"Amazon Linux Security Advisory for thunderbird: ALAS2-2021-1618"},{"cve":"CVE-2021-23978","qid":"375430","title":"SeaMonkey Multiple Vulnerabilities"},{"cve":"CVE-2021-23978","qid":"500941","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2021-23978","qid":"501555","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2021-23978","qid":"501624","title":"Alpine Linux Security Update for mozjs78"},{"cve":"CVE-2021-23978","qid":"502379","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-23978","qid":"503846","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2021-23978","qid":"710019","title":"Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202104-09)"},{"cve":"CVE-2021-23978","qid":"710020","title":"Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202104-10)"},{"cve":"CVE-2021-23978","qid":"750329","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:0387-1)"},{"cve":"CVE-2021-23978","qid":"750336","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:0373-1)"},{"cve":"CVE-2021-23978","qid":"940157","title":"AlmaLinux Security Update for thunderbird (ALSA-2021:0657)"},{"cve":"CVE-2021-23978","qid":"940358","title":"AlmaLinux Security Update for firefox (ALSA-2021:0655)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-23978","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"< 86"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"< 78.8"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"< 78.8"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-07/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-07/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-09/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-09/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-08/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-08/"},{"url":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=786797%2C1682928%2C1687391%2C1687597","refsource":"MISC","name":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=786797%2C1682928%2C1687391%2C1687597"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210301 [SECURITY] [DLA 2578-1] thunderbird security update","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00000.html"},{"refsource":"DEBIAN","name":"DSA-4866","url":"https://www.debian.org/security/2021/dsa-4866"},{"refsource":"GENTOO","name":"GLSA-202104-10","url":"https://security.gentoo.org/glsa/202104-10"},{"refsource":"GENTOO","name":"GLSA-202104-09","url":"https://security.gentoo.org/glsa/202104-09"}]},"description":{"description_data":[{"lang":"eng","value":"Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8."}]}},"nvd":{"publishedDate":"2021-02-26 16:15:00","lastModifiedDate":"2022-05-27 18:30:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"86.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"78.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"78.8","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23978","Ordinal":"198734","Title":"CVE-2021-23978","CVE":"CVE-2021-23978","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23978","Ordinal":"1","NoteData":"Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"23978","Ordinal":"2","NoteData":"2021-02-26","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"23978","Ordinal":"3","NoteData":"2021-04-30","Type":"Other","Title":"Modified"}]}}}