image credit: Pixabay

Critical Firefox Vulnerability Can Allow Code Execution If Chained With Other Bugs

February 9, 2021

In its advisory for the vulnerability — the bug currently does not have a CVE identifier — Mozilla described it as a “buffer overflow in depth pitch calculations for compressed textures.” The issue, reported by researchers Abraruddin Khan and Omair through Trend Micro’s Zero Day Initiative (ZDI), apparently only impacts Firefox running on Windows — other operating systems are not affected.

“In the Angle graphics library, depth pitch computations did not take into account the block size and simply multiplied the row pitch with the pixel height. This caused the load functions to use a very high depth pitch, reading past the end of the user-supplied buffer,” Mozilla said.

Read More on Security Week