CVE-2024-11704
published 2024-11-26CVE-2024-11704: A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 134.0-1 (sid) | firefox 134.0-1 (sid) |
| debian | firefox-esr | < firefox 134.0-1 (sid) | firefox 134.0-1 (sid) |
| debian | thunderbird | < firefox 134.0-1 (sid) | firefox 134.0-1 (sid) |
| mozilla | firefox | < 128.7.0 | 128.7.0 |
| mozilla | firefox | < 133.0 | 133.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 133.0+build2-0ubuntu0.20.04.1 | 133.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 133 | 133 |
| mozilla | firefox_esr | >= unspecified < 128.7 | 128.7 |
| mozilla | thunderbird | < 128.7.0 | 128.7.0 |
| mozilla | thunderbird | >= 0 < 1:128.7.0esr-1~deb11u1 | 1:128.7.0esr-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:128.7.0esr-1~deb12u1 | 1:128.7.0esr-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:128.7.0esr-1 | 1:128.7.0esr-1 |
| mozilla | thunderbird | >= 0 < 1:128.7.0esr-1 | 1:128.7.0esr-1 |
| mozilla | thunderbird | >= 129.0 < 133.0 | 133.0 |
| mozilla | thunderbird | >= unspecified < 133 | 133 |
| mozilla | thunderbird | >= unspecified < 128.7 | 128.7 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-12-03·CVSS 4.3
CVE-2024-11692 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-11692,
CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE-2024-11697,
CVE-2024-11699, CVE-2024-11701, CVE-2024-11704, CVE-2024-11705,
CVE-2024-11706, CVE-2024-11708)
Instructions: After a standard system update you need to restart Firefox to make all the
necessary changes
Red Hat
firefox: thunderbird: Potential Double-Free Vulnerability in PKCS#7 Decryption Handling
vendor_redhat·2024-11-26·CVSS 9.8
CVE-2024-11704 [CRITICAL] CWE-415 firefox: thunderbird: Potential Double-Free Vulnerability in PKCS#7 Decryption Handling
firefox: thunderbird: Potential Double-Free Vulnerability in PKCS#7 Decryption Handling
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7.
A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption.
Statement: Red Hat Product Security rates
Debian
CVE-2024-11704: firefox - A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` w...
vendor_debian·2024·CVSS 9.8
CVE-2024-11704 [CRITICAL] CVE-2024-11704: firefox - A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` w...
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7.
Scope: local
sid: resolved (fixed in 134.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-63: CVE-2024-11704
vendor_mozilla·CVSS 9.8
CVE-2024-11704 [CRITICAL] Mozilla Foundation Security Advisory 2024-63: CVE-2024-11704
Mozilla Foundation Security Advisory 2024-63
CVE: CVE-2024-11704
Product: Firefox
Impact: high
Fixed in: Firefox 133
Mozilla
Mozilla Foundation Security Advisory 2025-09: CVE-2024-11704
vendor_mozilla·CVSS 9.8
CVE-2024-11704 [CRITICAL] Mozilla Foundation Security Advisory 2025-09: CVE-2024-11704
Mozilla Foundation Security Advisory 2025-09
CVE: CVE-2024-11704
Product: Firefox ESR
Impact: moderate
Fixed in: Firefox ESR 128.7
Mozilla
Mozilla Foundation Security Advisory 2025-10: CVE-2024-11704
vendor_mozilla·CVSS 9.8
CVE-2024-11704 [CRITICAL] Mozilla Foundation Security Advisory 2025-10: CVE-2024-11704
Mozilla Foundation Security Advisory 2025-10
CVE: CVE-2024-11704
Product: Thunderbird
Impact: moderate
Fixed in: Thunderbird 128.7
Mozilla
Mozilla Foundation Security Advisory 2024-67: CVE-2024-11704
vendor_mozilla·CVSS 9.8
CVE-2024-11704 [CRITICAL] Mozilla Foundation Security Advisory 2024-67: CVE-2024-11704
Mozilla Foundation Security Advisory 2024-67
CVE: CVE-2024-11704
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 133
OSV
firefox vulnerabilities
osv·2024-12-03·CVSS 4.3
CVE-2024-11692 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-11692,
CVE-2024-11694, CVE-2024-11695, CVE-2024-11696, CVE-2024-11697,
CVE-2024-11699, CVE-2024-11701, CVE-2024-11704, CVE-2024-11705,
CVE-2024-11706, CVE-2024-11708)
GHSA
GHSA-h8gv-f7pf-7c4p: A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path
ghsa_unreviewed·2024-11-26
CVE-2024-11704 [CRITICAL] CWE-415 GHSA-h8gv-f7pf-7c4p: A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133 and Thunderbird < 133.
OSV
CVE-2024-11704: A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path
osv·2024-11-26·CVSS 9.8
CVE-2024-11704 [CRITICAL] CVE-2024-11704: A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1899402https://www.mozilla.org/security/advisories/mfsa2024-63/https://www.mozilla.org/security/advisories/mfsa2024-67/https://www.mozilla.org/security/advisories/mfsa2025-09/https://www.mozilla.org/security/advisories/mfsa2025-10/https://lists.debian.org/debian-lts-announce/2025/02/msg00005.htmlhttps://lists.debian.org/debian-lts-announce/2025/02/msg00006.html
2024-11-26
Published