Mozilla Foundation Security Advisory 2015-138

Use-after-free in WebRTC when datachannel is used after being destroyed

Announced
December 15, 2015
Reporter
Looben Yang
Impact
Critical
Products
Firefox, Firefox ESR, Firefox OS
Fixed in
  • Firefox 43
  • Firefox ESR 38.5
  • Firefox OS 2.5

Description

Security researcher Looben Yang reported a use-after-free error in WebRTC that occurs due to timing issues in WebRTC when closing channels. WebRTC may still believe is has a datachannel open after another WebRTC function has closed it. This results in attempts to use the now destroyed datachannel, leading to a potentially exploitable crash.

References