Incorrect AliasSet Usage in MLoadTypedArrayElementHole Allows Out-of-Bounds Memory Read in Thunderbird and Firefox

Incorrect AliasSet Usage in MLoadTypedArrayElementHole Allows Out-of-Bounds Memory Read in Thunderbird and Firefox

CVE-2022-28285 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

When generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Learn more about our Web Application Penetration Testing UK.