Mozilla Thunderbird up to 115.0.1 ColorPickerShownCallback use after free

Summaryinfo

A vulnerability has been found in Mozilla Thunderbird and classified as critical. This issue affects the function ColorPickerShownCallback. The manipulation leads to use after free. This vulnerability is referenced as CVE-2023-4574. Remote exploitation of the attack is possible. No exploit is available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Mozilla Thunderbird (Mail Client Software). This issue affects the function ColorPickerShownCallback. The manipulation with an unknown input leads to a use after free vulnerability. Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.

The weakness was published 09/11/2023. It is possible to read the advisory at mozilla.org. The identification of this vulnerability is CVE-2023-4574 since 08/29/2023. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 06/20/2025).

The vulnerability scanner Nessus provides a plugin with the ID 239763 (TencentOS Server 4: thunderbird (TSSA-2024:0450)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 115.2 eliminates this vulnerability. The upgrade is hosted for download at mozilla.org.

The vulnerability is also documented in the vulnerability database at Tenable (239763). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Mail Client Software

Vendor

• Mozilla

Name

• Thunderbird

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.7.1
• 0.7.2
• 0.7.3
• 0.8
• 0.9
• 1
• 1.0
• 1.0.1
• 1.0.2
• 1.0.3
• 1.0.4
• 1.0.5
• 1.0.6
• 1.0.7
• 1.0.8
• 1.0.9
• 1.1.8
• 1.5
• 1.5.0.1
• 1.5.0.2
• 1.5.0.3
• 1.5.0.4
• 1.5.0.5
• 1.5.0.6
• 1.5.0.7
• 1.5.0.8
• 1.5.0.9
• 1.5.0.10
• 1.5.0.11
• 2
• 2.0.0.5
• 2.0.0.11
• 2.0.0.19
• 2.0.14
• 3.11.5
• 13.0
• 14
• 15
• 16
• 16.0.1
• 16.0.2
• 17.0
• 17.0.1
• 17.0.2
• 17.0.3
• 17.0.4
• 17.0.5
• 17.0.6
• 17.0.7
• 17.0.8
• 17.0.10
• 18.0
• 20.0
• 21.0
• 23.0
• 24.0
• 25.0
• 30.0
• 31
• 45.6
• 52.5.2
• 52.6
• 52.8
• 52.9
• 60.5
• 60.5.0
• 60.5.1
• 60.7.1
• 62.0
• 68.1
• 68.1.1
• 68.5
• 68.8.0
• 68.9.0
• 68.10.0
• 68.12
• 78.5.1
• 78.6.1
• 78.7
• 78.8.1
• 78.9.1
• 78.10
• 78.10.1
• 78.10.2
• 78.12
• 91.0
• 91.0.1
• 91.2
• 91.3.0
• 91.4.0
• 91.4.1
• 91.5
• 91.6
• 91.6.1
• 91.7
• 91.8
• 91.9
• 91.10
• 91.11
• 91.13.1
• 101
• 102
• 102.1
• 102.2
• 102.3
• 102.4
• 102.5
• 102.5.1
• 102.6
• 102.7
• 102.7.1
• 102.8
• 102.9
• 102.9.1
• 102.10
• 102.11
• 102.12
• 102.13
• 115.0.1

License

• open-source

Website

• Vendor: https://www.mozilla.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion