Mozilla Firefox and Firefox ESR Use-After-Free Zero-day Vulnerability (CVE-2024-9680)

Mozilla warns about the active exploitation of a vulnerability impacting Firefox and the Firefox Extended Support Release (ESR). Tracked as CVE-2024-9680, the vulnerability has a critical severity rating with a CVSS score of 9.8.

Damien Schaeffer from ESET discovered and reported the vulnerability to Mozilla.

CVE-2024-9680 is a use after free vulnerability in the Animation timelines component of Mozilla. Animation timelines are a part of Firefox’s Web Animations API, which controls and synchronizes animations on the web pages. An attacker may exploit the vulnerability to achieve code execution in the content process. Use-after-free vulnerability occurs when the memory that has been freed is still used by the program. The vulnerability may allow attackers to add their malicious data to the memory region for code execution.

CISA acknowledged the active exploitation of CVE-2024-9680 by adding it to its Known Exploited Vulnerabilities Catalog and requesting users patch the flaw before November 5, 2024.

Affected Versions

  • Firefox versions before 131.0.2
  • Firefox ESR versions before 128.3.1
  • Firefox ESR versions before 115.16.1

Mitigation

Customers can upgrade to the following versions to mitigate the vulnerability:

  • Firefox 131.0.2
  • Firefox ESR 128.3.1
  • Firefox ESR 115.16.1

For more information, please refer to the Mozilla security advisory.

Qualys Detection

Qualys customers can scan their devices with QID 380615 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/

Leave a Reply

Your email address will not be published. Required fields are marked *