|Description||Mozilla Firefox before 126.96.36.199 and 3.x before 3.0.1, Thunderbird before 188.8.131.52, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|References||DSA-1614-1, DSA-1615-1, DSA-1621-1, DSA-1697-1|
|NVD severity||high (attack range: remote)|
|Debian Bugs||488358, 491161, 491163|
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
Since 3.0 iceweasel links against xulrunner, marking it as fixed, since also need to track etch