CVE-2024-3857 — Use After Free in Mozilla Firefox

CWE-416 — Use After Free11 documents8 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 66.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +1 more

Timeline

PublishedApr 16

Latest updateApr 25

Description

The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5mozilla/firefoxunspecified — 125

▶NVDmozilla/firefox< 115.10+1

▶CVEListV5mozilla/firefox_esrunspecified — 115.10

▶CVEListV5mozilla/thunderbirdunspecified — 115.10

▶NVDmozilla/thunderbird< 115.10

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

CVE-2024-3857: The JIT created incorrect code for arguments in certain cases↗2024-04-16

▶

CVEList

CVE-2024-3857: The JIT created incorrect code for arguments in certain cases↗2024-04-16

▶

GHSA

GHSA-8564-m639-jh8r: The JIT created incorrect code for arguments in certain cases↗2024-04-16

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2024-04-25

▶

Ubuntu

Firefox vulnerabilities↗2024-04-24

▶

Red Hat

Mozilla: Incorrect JITting of arguments led to use-after-free during garbage collection↗2024-04-16

▶

Debian

CVE-2024-3857: firefox - The JIT created incorrect code for arguments in certain cases. This led to poten...↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-20: CVE-2024-3857↗

▶