In March 2022, a serious security flaw was found in Mozilla’s browser and email applications: Firefox, Firefox ESR, and Thunderbird. Called CVE-2022-1097, this bug could let attackers crash the software, or even run malicious code, by exploiting how NSSToken objects were handled across different threads. Below, we’ll break down what happened, show you the technical details, share code examples, and tell you how you can protect yourself.
What is CVE-2022-1097?
CVE-2022-1097 is a use-after-free vulnerability in the way Mozilla's code handled NSSToken objects. Instead of careful management, these sensitive security objects were sometimes used by two (or more) threads at once, allowing one thread to access memory that was just freed by another. If an attacker learned how to exploit this, they could crash your software or maybe even run their own code.
Impact:
What is NSSToken and Why is it Important?
NSSToken is a part of Mozilla’s Network Security Services (NSS). NSS manages cryptographic operations for Firefox and Thunderbird—think: encryption, digital signatures, and more.
Since security tokens handle secrets like encryption keys, any vulnerability in their handling could be devastating.
What Happens In The Vulnerable Code?
In technical terms: NSSToken objects were referenced by raw pointers, not by protected smart pointers or references. So, if one thread freed (deleted) a token, but another thread had a reference to the same object, that reference now pointed to memory that wasn’t valid anymore—a use-after-free.
Here’s a _simplified example_ of what went wrong
// Somewhere in NSS code (simplified for illustration)
NSSToken* token = GetNSSToken(); // Get a pointer to the token
// Thread 1: Frees the token
delete token;
// Thread 2: Still tries to use the same pointer! Dangerous!
token->DoSomething(); // Use-after-free: could crash or worse
With some clever timing (called a "race condition"), attackers could make the program crash, or potentially even execute arbitrary code.
Attackers could persuade users to visit a malicious website or open a crafted email message.
- By causing complex cryptographic operations (often triggered by secure connections), an attacker might force different browser threads to create, use, and free NSSToken objects at just the right (wrong) times.
- If successful, the browser or email client could crash (denial of service). In some cases, more advanced attackers might trigger code execution.
No public exploit code is known, but the risk is real—use-after-free bugs are a favorite for advanced browser hackers.
How Was It Fixed?
Mozilla’s developers patched this in Firefox 99 and Thunderbird 91.8 by making the use of NSSToken pointers thread-safe. The pointers were managed more carefully, either by switching to reference counting (e.g., smart pointers) or by ensuring one thread couldn’t free an object if another thread might still use it.
The official Mozilla advisory says:
> “Use-after-free in NSSToken objects that were referenced via direct pointers, and could have been accessed in an unsafe way on different threads.”
For a more technical dive, see the NSS Bugzilla ticket.
Update Thunderbird to version 91.8 or newer
- For Debian/Ubuntu and similar, ensure you have NSS (libnss3) patched to the latest version.
References
- Mozilla Foundation Security Advisory 2022-13
- Bugzilla Bug 175635
- NIST NVD CVE-2022-1097
- NSS Library
Conclusion
CVE-2022-1097 is a powerful example of how small mistakes in C++ memory management can lead to big security issues—especially when code is multi-threaded. Mozilla responded quickly, but as always, the best shield is keeping your software up-to-date.
If you use Firefox or Thunderbird, make sure you're running the latest version. And for developers: be very careful with raw pointers—especially when writing multi-threaded code!
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/29/2022 17:52:00 UTC