{"api_version":"1","generated_at":"2026-04-23T02:36:36+00:00","cve":"CVE-2021-43534","urls":{"html":"https://cve.report/CVE-2021-43534","api":"https://cve.report/api/cve/CVE-2021-43534.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-43534","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-43534"},"summary":{"title":"CVE-2021-43534","description":"Mozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-12-08 22:15:00","updated_at":"2022-03-17 19:45:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2021/dsa-5026","name":"DSA-5026","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5026-1 firefox-esr","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1606864%2C1712671%2C1730048%2C1735152","name":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1606864%2C1712671%2C1730048%2C1735152","refsource":"MISC","tags":[],"title":"Bug List","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-50/","name":"https://www.mozilla.org/security/advisories/mfsa2021-50/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 91.3 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-48/","name":"https://www.mozilla.org/security/advisories/mfsa2021-48/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox 94 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-49/","name":"https://www.mozilla.org/security/advisories/mfsa2021-49/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox ESR 91.3 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2022/dsa-5034","name":"DSA-5034","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5034-1 thunderbird","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html","name":"[debian-lts-announce] 20211229 [SECURITY] [DLA 2863-1] firefox-esr security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2863-1] firefox-esr security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html","name":"[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2874-1] thunderbird security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-43534","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43534","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"43534","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43534","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43534","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43534","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43534","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43534","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-43534","qid":"178948","title":"Debian Security Update for firefox-esr (DSA 5026-1)"},{"cve":"CVE-2021-43534","qid":"178970","title":"Debian Security Update for firefox-esr (DLA 2863-1)"},{"cve":"CVE-2021-43534","qid":"178983","title":"Debian Security Update for thunderbird (DSA 5034-1)"},{"cve":"CVE-2021-43534","qid":"178986","title":"Debian Security Update for thunderbird (DLA 2874-1)"},{"cve":"CVE-2021-43534","qid":"180498","title":"Debian Security Update for firefox-esr (CVE-2021-43534)"},{"cve":"CVE-2021-43534","qid":"198641","title":"Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5248-1)"},{"cve":"CVE-2021-43534","qid":"502381","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-43534","qid":"503632","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-43534","qid":"503634","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-43534","qid":"503650","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-43534","qid":"503669","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-43534","qid":"506260","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-43534","qid":"960744","title":"Rocky Linux Security Update for thunderbird (RLSA-2021:4130)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-43534","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"94","version_affected":"<"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"91.3","version_affected":"<"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"91.3","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-49/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-49/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-50/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-50/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-48/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-48/"},{"url":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1606864%2C1712671%2C1730048%2C1735152","refsource":"MISC","name":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1606864%2C1712671%2C1730048%2C1735152"},{"refsource":"DEBIAN","name":"DSA-5026","url":"https://www.debian.org/security/2021/dsa-5026"},{"refsource":"MLIST","name":"[debian-lts-announce] 20211229 [SECURITY] [DLA 2863-1] firefox-esr security update","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html"},{"refsource":"DEBIAN","name":"DSA-5034","url":"https://www.debian.org/security/2022/dsa-5034"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}]},"description":{"description_data":[{"lang":"eng","value":"Mozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3."}]}},"nvd":{"publishedDate":"2021-12-08 22:15:00","lastModifiedDate":"2022-03-17 19:45:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"91.3.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"91.3.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"94.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"43534","Ordinal":"220601","Title":"CVE-2021-43534","CVE":"CVE-2021-43534","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"43534","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}