Mozilla on Tuesday announced security updates for both Firefox and Thunderbird, addressing a total of nine vulnerabilities in its products, including high-severity flaws.
Firefox 118 was released to the stable channel with patches for all nine vulnerabilities â€“ all are memory issues, most of which could lead to exploitable crashes.
Tracked as CVE-2023-5168 and CVE-2023-5169, the first two high-severity flaws are described as out-of-bounds write issues in the browserâ€™s FilterNodeD2D1 and PathOps components. According to Mozilla, both could lead to â€œa potentially exploitable crash in a privileged processâ€.
The third bug, CVE-2023-5170, is a memory leak issue that â€œcould be used to effect a sandbox escape if the correct data was leakedâ€, Mozilla explains in its advisory.
Another high-severity vulnerability was patched in the Ion compiler. Tracked as CVE-2023-5171 and described as a use-after-free condition, the bug allowed an attacker to write two NUL bytes, causing a potentially exploitable crash.
Firefox 118 also patches CVE-2023-5172, a memory corruption in Ion Hints that could lead to a use-after-free condition and a potentially exploitable crash.
The browser update also resolves multiple high-severity memory safety bugs that are collectively tracked as CVE-2023-5176. According to Mozilla, â€œwith enough effortâ€, an attacker could exploit some of these flaws to execute arbitrary code.
The three remaining issues patched with the release of Firefox 118 are medium- and low-severity memory bugs.
On Tuesday, Mozilla announced the release of Firefox ESR 115.3 and Thunderbird 115.3 with patches for five vulnerabilities each. These include four of the high-severity flaws and one medium-severity bug that Firefox 118 addresses.
Mozilla makes no mention of any of these vulnerabilities being exploited in malicious attacks. Additional details can be found on Mozillaâ€™s security advisories page.
Related: High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome
Related: Firefox 116 Patches High-Severity Vulnerabilities
Related: Firefox 115 Patches High-Severity Use-After-Free Vulnerabilities