Mozilla fixed two critical zero-days in its popular web browser, Firefox. Mozilla is aware of active exploitation of these vulnerabilities. There is no specific information about the threat groups or malwares utilizing these vulnerabilities.
As per the advisory,
CVE-2020-6819 is a use-after-free vulnerability when running the nsDocShell destructor due to a race condition.
CVE-2020-6820 is a use-after-free vulnerability when handling a ReadableStream due to a race condition.
Both the zero-days are known to be use-after-free issues in different components. A use-after-free(CWE-416) issue is one where a memory is referenced after it is freed. Vulnerabilities of this type can be used to corrupt memory and launch denial of service or remote code execution attacks. Depending on the privileges of the targeted user, an attacker can install programs; view, change, or delete data; or create new accounts with full user rights.
- Firefox versions prior to 74.0.1
- Firefox ESR versions 68.6.1
Attackers can abuse these vulnerabilities to crash the application or execute arbitrary code in the context of the browser.