CVE-2021-23986

high

Published — · Modified —

CVSS v3

—

CVSS v2

—

VIR risk

8.0

Description

A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without cookies, so the sensitive information disclosed by the violation was limited to local-network resources or resources that perform IP-based authentication. This vulnerability affects Firefox < 87.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-23986

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-23986.html

OS impact

OS	Version	Status	Fixed in
arch		fixed	`87.0-1`
sles		affected
debian	sid	fixed	`87.0-1`

References

Verify integrity in audit chain (admin only). AS-IS.