In early 2022, a subtle but critical change in how Firefox for macOS and Linux handled temporary file downloads opened a door to local privilege escalation and privacy risks. This flaw, tracked as CVE-2022-26386, never made huge headlines—but it could have let other users on the same computer peek into your downloaded files.
Let’s break down what happened, how the vulnerability worked, who was affected, and why it mattered. We’ll also look at how it was fixed, and you’ll find links to further reading and technical details.
What Happened?
Previously:
When you downloaded a file in Firefox (or Thunderbird, which shares the same engine) on macOS or Linux, the browser would save the incomplete download—a temporary file—in a user-specific subdirectory of /tmp. For example, /tmp/firefox-<user>-temp/.
This directory was unique to you, isolated from others.
After the change:
A code change moved these temp files into the shared /tmp folder directly—without a user-specific directory. Like this: /tmp/<file-being-downloaded>. This meant *any* user account on the system could see and potentially mess with your unfinished downloads.
Why is this dangerous?
On shared systems (think: universities, labs, offices, families), /tmp is accessible to all logged-in users. A malicious user could:
Read sensitive data in files as they’re being downloaded.
- Tamper with files (e.g., swap a pending .exe download for malware before it completes and is verified).
Cause confusion, crashes, or exploit other software’s assumptions.
The fix?
The developers reverted to the original behavior: temp downloads went back to being stored in user-only subdirectories in /tmp.
Thunderbird versions before 91.7
Only the macOS and Linux builds were affected.
*Windows and other platforms were never vulnerable.*
Walkthrough Example: How an Attack Might Work
Suppose Alice and Bob share a Linux computer. Bob is downloading a sensitive PDF in Firefox. The PDF is partially written as /tmp/secrets.pdf.part.
Meanwhile, Alice runs the following
# List all files in /tmp
ls /tmp/
# Find every .part file (incomplete downloads)
ls /tmp/*.part
# Copy the partially downloaded file
cp /tmp/secrets.pdf.part /home/alice/steal.pdf
# or just open and read it directly
cat /tmp/secrets.pdf.part
She can now peek at private data, or, more maliciously
# Overwrite the file (potentially injecting malicious content)
echo "hacked" > /tmp/secrets.pdf.part
This is much harder if temp files are protected in /tmp/firefox-alice-tmp/ with user-only permissions.
How Did This Change Sneak In?
The tweak was likely made for simplicity, to comply with certain Linux standards, or due to a misunderstanding of /tmp's shared nature. It didn’t get caught until users or researchers noticed the new behavior and pointed out the risk.
Links to Official Resources
- Mozilla Security Advisory 2022-10
- CVE Record on MITRE
- Thunderbird Security Advisory
While the full browser change is buried in Firefox’s C++ and Rust codebase, the logic is roughly
// NOT SECURE: prior flawed logic
tempFilePath = "/tmp/" + originalFileName;
// SECURE: reverted logic
tempFilePath = "/tmp/firefox-" + username + "-tmp/" + originalFileName;
mkdir("/tmp/firefox-" + username + "-tmp/", 070); // Only accessible to the user
In shell commands
# Securely creating a user-specific temp directory
userdir="/tmp/firefox-$(whoami)-tmp"
mkdir -m 700 "$userdir"
downloadfile="$userdir/$(basename $url)"
What Should Users Do?
- If you use Firefox ESR or Thunderbird on Linux or macOS, make sure you’re running at least version 91.7 or later.
- If you’re on a shared system, don’t trust files in /tmp unless you placed them there yourself.
Final Thoughts
CVE-2022-26386 is a great reminder that even small changes in file storage logic can have big security implications—especially on multi-user systems.
If you’re interested in more details, check out Mozilla’s advisory or dig into the CVE record. The Firefox team moved fast, and now you know why those little update nudges matter.
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/23/2023 13:53:00 UTC