Mozilla Firefox
Moderate fix1 remedy
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*
Moderate fix1 remedy
- < 93
Mozilla Firefox, Thunderbird, and Firefox ESR Use-After-Free Vulnerability in HTTP/2 Session Object
Vulnerability
Patched
A use-after-free vulnerability has been identified in Mozilla Firefox, Thunderbird, and Firefox ESR. This issue arises when an HTTP/2 session object is released on a different thread, leading to memory corruption and a potentially exploitable crash. The vulnerability affects Firefox versions prior to 93, Thunderbird versions prior to 91.3, and Firefox ESR versions prior to 91.3.
Impact
Exploitation of this vulnerability leads to a use-after-free condition, causing memory corruption and a crash, with the potential for exploitation.
Reproduction
The vulnerability can be reproduced by initiating an HTTP/2 session and then releasing the session object on a different thread before it is fully processed. This can be done by manipulating the timing of operations in a way that the session object is freed while it is still needed, creating a use-after-free scenario.
Remediation
Users can upgrade to Firefox 93, Thunderbird 91.3, or Firefox ESR 91.3 to address this vulnerability.
Added: Apr 7, 2026, 11:26 AM
Updated: Apr 7, 2026, 11:26 AM
Vulnerability Rating
Custom Algorithm
spread
8.4impact
7.5exploitability
4.6remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.