An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/#CVE-2022-3266 https://www.mozilla.org/en-US/security/advisories/mfsa2022-42/#CVE-2022-3266
Mozilla upstream states that this issue was fixed in Firefox/Thunderbird version 102.3. The firefox/thunderbird packages as shipped in following Red Hat products were previously updated to a version that contains the fix via the following errata: firefox in Red Hat Enterprise Linux 7 https://access.redhat.com/errata/RHSA-2022:6711 firefox in Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions https://access.redhat.com/errata/RHSA-2022:6703 firefox in Red Hat Enterprise Linux 8.2 Extended Update Support https://access.redhat.com/errata/RHSA-2022:6707 firefox in Red Hat Enterprise Linux 8.4 Extended Update Support https://access.redhat.com/errata/RHSA-2022:6701 firefox in Red Hat Enterprise Linux 8 https://access.redhat.com/errata/RHSA-2022:6702 thunderbird in Red Hat Enterprise Linux 7 https://access.redhat.com/errata/RHSA-2022:6710 thunderbird in Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions https://access.redhat.com/errata/RHSA-2022:6716 thunderbird in Red Hat Enterprise Linux 8.2 Extended Update Support https://access.redhat.com/errata/RHSA-2022:6715 thunderbird in Red Hat Enterprise Linux 8.4 Extended Update Support https://access.redhat.com/errata/RHSA-2022:6713 thunderbird in Red Hat Enterprise Linux 8 https://access.redhat.com/errata/RHSA-2022:6708
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3266