Mozilla has addressed a critical memory corruption vulnerability affecting its cross-platform Network Security Services (NSS) set of cryptography libraries.
NSS can be used to develop security-enabled client and server apps with support for SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and various other security standards.
The security flaw was found by Google vulnerability researcher Tavis Ormandy in NSS versions before 3.73 or 3.68.1 ESR—who also dubbed it BigSig—and is now tracked as CVE-2021-43527.
It can lead to a heap-based buffer overflow when handling DER-encoded DSA or RSA-PSS signatures in email clients and PDF viewers using vulnerable NSS versions (the bug has been fixed in NSS 3.68.1 and NSS 3.73).
The impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security software if code execution is achieved.