Firefox SVG Animation Remote Code Execution - 20230626002

Overview

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.

What is the vulnerability?

• CVE-2016-9079 - CVSS v3 Base Score: 7.5

What is vulnerable?

The vulnerability affects the following products:

• Firefox < 50.0.2,
• Firefox ESR < 45.5.1
• Thunderbird < 45.5.1

What has been observed?

CISA added this vulnerabilty to their Known Exploited Vulnerabilties catalog on 22 June 2023.

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within one month.

Additional References

• CVE-2016-9079 Detail
• MFSA2016-92 Firefox: Firefox SVG Animation Remote Code Execution