CVE-2019-11713 in Firefox
Summary
by MITRE
A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/26/2025
This vulnerability represents a critical use-after-free condition in the HTTP/2 implementation of Mozilla Firefox and Thunderbird browsers. The flaw occurs within the connection management system where cached HTTP/2 streams are improperly handled during closure operations. When a stream is removed from the cache while still being actively referenced by ongoing operations, the system attempts to free memory that may already be in use by other processes, creating a scenario where subsequent memory accesses could trigger arbitrary code execution or system instability. The vulnerability specifically manifests in the interaction between the HTTP/2 stream caching mechanism and the connection lifecycle management, where the timing of stream closure and resource deallocation creates a window for memory corruption.
The technical implementation of this vulnerability stems from inadequate synchronization and reference counting mechanisms within the HTTP/2 protocol handler. When a cached stream is closed, the application fails to properly verify that all references to that stream have been released before deallocating the underlying memory structures. This type of flaw falls under the common weakness enumeration CWE-416, which specifically addresses use-after-free conditions in software systems. The vulnerability is particularly dangerous because HTTP/2 connections are often long-lived and frequently reused, increasing the probability that a stream will be closed while still in active use. Attackers could potentially exploit this by crafting malicious HTTP/2 responses that force the browser into a state where stream closure occurs during active data transfer operations.
The operational impact of this vulnerability extends beyond simple browser crashes to potentially enable remote code execution in the context of the victim's browser process. Since Firefox and Thunderbird are widely deployed applications, this vulnerability could be leveraged in targeted attacks against users who access malicious websites or receive compromised email content. The affected versions include Firefox ESR 60.7 and earlier, Firefox 67 and earlier, and Thunderbird 60.7 and earlier, representing a substantial user base that would be vulnerable to exploitation. The vulnerability's exploitability is enhanced by the fact that HTTP/2 is increasingly enabled by default in modern web servers, making it more likely for users to encounter the malicious conditions necessary for exploitation. This vulnerability aligns with attack patterns described in the MITRE ATT&CK framework under the technique T1203, which involves exploiting software vulnerabilities to gain access to systems through web browser applications.
Mitigation strategies for this vulnerability primarily focus on immediate software updates and patches provided by Mozilla. Users should immediately upgrade to Firefox 68 or later versions, Firefox ESR 60.8 or later, and Thunderbird 60.8 or later to address the memory management issues within the HTTP/2 implementation. Network administrators should also consider implementing web filtering measures to prevent access to known malicious sites that might exploit this vulnerability while waiting for patch deployment. Additionally, organizations should monitor for indicators of compromise related to HTTP/2 traffic patterns that might suggest exploitation attempts. The patch implementation addresses the core issue by introducing proper reference counting mechanisms and ensuring that stream closure operations only occur when all active references have been properly released, thereby preventing the use-after-free condition from occurring during normal operation.