Search for vulnerabilities
Vulnerability details: VCID-msgg-jv2j-z7ds
Vulnerability ID VCID-msgg-jv2j-z7ds
Aliases CVE-2022-28289
Summary Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-787 Out-of-bounds Write
System Score Found at
cvssv3 8.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-28289.json
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.0022 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2022-28289
cvssv3.1 8.8 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1663508%2C1744525%2C1753508%2C1757476%2C1757805%2C1758549%2C1758776
ssvc Track https://bugzilla.mozilla.org/buglist.cgi?bug_id=1663508%2C1744525%2C1753508%2C1757476%2C1757805%2C1758549%2C1758776
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2022-28289
archlinux High https://security.archlinux.org/AVG-2711
archlinux High https://security.archlinux.org/AVG-2712
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2022-13
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2022-14
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2022-15
cvssv3.1 8.8 https://www.mozilla.org/security/advisories/mfsa2022-13/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2022-13/
cvssv3.1 8.8 https://www.mozilla.org/security/advisories/mfsa2022-14/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2022-14/
cvssv3.1 8.8 https://www.mozilla.org/security/advisories/mfsa2022-15/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2022-15/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-28289.json
https://api.first.org/data/v1/epss?cve=CVE-2022-28289
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28282
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28289
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2072566 https://bugzilla.redhat.com/show_bug.cgi?id=2072566
AVG-2711 https://security.archlinux.org/AVG-2711
AVG-2712 https://security.archlinux.org/AVG-2712
buglist.cgi?bug_id=1663508%2C1744525%2C1753508%2C1757476%2C1757805%2C1758549%2C1758776 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1663508%2C1744525%2C1753508%2C1757476%2C1757805%2C1758549%2C1758776
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
CVE-2022-28289 https://nvd.nist.gov/vuln/detail/CVE-2022-28289
mfsa2022-13 https://www.mozilla.org/en-US/security/advisories/mfsa2022-13
mfsa2022-13 https://www.mozilla.org/security/advisories/mfsa2022-13/
mfsa2022-14 https://www.mozilla.org/en-US/security/advisories/mfsa2022-14
mfsa2022-14 https://www.mozilla.org/security/advisories/mfsa2022-14/
mfsa2022-15 https://www.mozilla.org/en-US/security/advisories/mfsa2022-15
mfsa2022-15 https://www.mozilla.org/security/advisories/mfsa2022-15/
RHSA-2022:1283 https://access.redhat.com/errata/RHSA-2022:1283
RHSA-2022:1284 https://access.redhat.com/errata/RHSA-2022:1284
RHSA-2022:1285 https://access.redhat.com/errata/RHSA-2022:1285
RHSA-2022:1286 https://access.redhat.com/errata/RHSA-2022:1286
RHSA-2022:1287 https://access.redhat.com/errata/RHSA-2022:1287
RHSA-2022:1301 https://access.redhat.com/errata/RHSA-2022:1301
RHSA-2022:1302 https://access.redhat.com/errata/RHSA-2022:1302
RHSA-2022:1303 https://access.redhat.com/errata/RHSA-2022:1303
RHSA-2022:1305 https://access.redhat.com/errata/RHSA-2022:1305
RHSA-2022:1326 https://access.redhat.com/errata/RHSA-2022:1326
USN-5370-1 https://usn.ubuntu.com/5370-1/
USN-5393-1 https://usn.ubuntu.com/5393-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-28289.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://bugzilla.mozilla.org/buglist.cgi?bug_id=1663508%2C1744525%2C1753508%2C1757476%2C1757805%2C1758549%2C1758776
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-16T13:59:30Z/ Found at https://bugzilla.mozilla.org/buglist.cgi?bug_id=1663508%2C1744525%2C1753508%2C1757476%2C1757805%2C1758549%2C1758776
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-28289
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.mozilla.org/security/advisories/mfsa2022-13/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-16T13:59:30Z/ Found at https://www.mozilla.org/security/advisories/mfsa2022-13/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.mozilla.org/security/advisories/mfsa2022-14/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-16T13:59:30Z/ Found at https://www.mozilla.org/security/advisories/mfsa2022-14/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.mozilla.org/security/advisories/mfsa2022-15/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-16T13:59:30Z/ Found at https://www.mozilla.org/security/advisories/mfsa2022-15/
Exploit Prediction Scoring System (EPSS)
Percentile 0.44674
EPSS Score 0.0022
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:10:04.630203+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2022/mfsa2022-15.yml 37.0.0