Mozilla Foundation Security Advisory 2023-42 General Information Announced: September 26, 2023 Impact: High Products: Firefox ESR Fixed in: Firefox ESR 115.3 Vulnerabilities CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1 Reporter: sonakkbi Impact: High Description: A compromised content process could provide malicious data to FilterNodeD2D1, leading to an out-of-bounds write and a potentially exploitable crash in a privileged process. Affects only Firefox on Windows. CVE-2023-5169: Out-of-bounds write in PathOps Reporter: sonakkbi Impact: High Description: A compromised content process could provide malicious data in a PathRecording, leading to an out-of-bounds write and a potentially exploitable crash in a privileged process. CVE-2023-5171: Use-after-free in Ion Compiler Reporter: Lukas Bernhard Impact: High Description: During Ion compilation, a Garbage Collection could result in a use-after-free condition, allowing an attacker to write two NUL bytes and cause a potentially exploitable crash. CVE-2023-5174: Double-free in process spawning on Windows Reporter: Ronald Crane Impact: Moderate Description: If Windows failed to duplicate a handle during process creation, the sandbox code may inadvertently free a pointer twice, leading to a use-after-free and a potentially exploitable crash. Affects only Firefox on Windows in non-standard configurations. CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 Reporter: Chris Peterson, Andrew McCreight, André Bargull, Nika Layzell, and the Mozilla Fuzzing Team Impact: High Description: Memory safety bugs in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2, some of which could be exploited to run arbitrary code.