CVE-2024-9401
published 2024-10-01CVE-2024-9401: Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 131.0-1 (sid) | firefox 131.0-1 (sid) |
| debian | firefox-esr | < firefox 131.0-1 (sid) | firefox 131.0-1 (sid) |
| debian | thunderbird | < firefox 131.0-1 (sid) | firefox 131.0-1 (sid) |
| mozilla | firefox | < 115.16.0 | 115.16.0 |
| mozilla | firefox | < 131.0 | 131.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 131.0+build1.1-0ubuntu0.20.04.1 | 131.0+build1.1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= 116.0 < 128.3.0 | 128.3.0 |
| mozilla | firefox | >= unspecified < 131 | 131 |
| mozilla | firefox_esr | >= unspecified < 128.3 | 128.3 |
| mozilla | firefox_esr | >= unspecified < 115.16 | 115.16 |
| mozilla | thunderbird | < 128.3.0 | 128.3.0 |
| mozilla | thunderbird | >= 0 < 1:115.16.0esr-1~deb11u1 | 1:115.16.0esr-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:115.16.0esr-1~deb12u1 | 1:115.16.0esr-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:128.3.0esr-1 | 1:128.3.0esr-1 |
| mozilla | thunderbird | >= 0 < 1:128.3.0esr-1 | 1:128.3.0esr-1 |
| mozilla | thunderbird | >= 129.0 < 131.0 | 131.0 |
| mozilla | thunderbird | >= unspecified < 128.3 | 128.3 |
| mozilla | thunderbird | >= unspecified < 131 | 131 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-10-07·CVSS 9.8
CVE-2024-9394 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-9392,
CVE-2024-9396, CVE-2024-9397, CVE-2024-9398, CVE-2024-9399, CVE-2024-9400,
CVE-2024-9401, CVE-2024-9402, CVE-2024-9403)
Masato Kinugawa discovered that Firefox did not properly validate
javascript under the "resource://pdf.js" origin. An attacker could
potentially exploit this issue to execute arbitrary javascript code and
access cross-origin PDF content. (CVE-2024-9393)
Masato Kinugawa discovered that Firefox did not properl
Red Hat
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
vendor_redhat·2024-10-01·CVSS 9.8
CVE-2024-9401 [CRITICAL] CWE-120 firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
The Mozilla Foundation's Security Advisory: Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs show evidence of memory corruption and we presume that with enough effort, some of these could be
Debian
CVE-2024-9401: firefox - Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2...
vendor_debian·2024·CVSS 9.8
CVE-2024-9401 [CRITICAL] CVE-2024-9401: firefox - Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2...
Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
Scope: local
sid: resolved (fixed in 131.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-46: CVE-2024-9401
vendor_mozilla·CVSS 9.8
CVE-2024-9401 [CRITICAL] Mozilla Foundation Security Advisory 2024-46: CVE-2024-9401
Mozilla Foundation Security Advisory 2024-46
CVE: CVE-2024-9401
Product: Firefox
Impact: high
Fixed in: Firefox 131
Mozilla
Mozilla Foundation Security Advisory 2024-48: CVE-2024-9401
vendor_mozilla·CVSS 9.8
CVE-2024-9401 [CRITICAL] Mozilla Foundation Security Advisory 2024-48: CVE-2024-9401
Mozilla Foundation Security Advisory 2024-48
CVE: CVE-2024-9401
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 115.16
Mozilla
Mozilla Foundation Security Advisory 2024-49: CVE-2024-9401
vendor_mozilla·CVSS 9.8
CVE-2024-9401 [CRITICAL] Mozilla Foundation Security Advisory 2024-49: CVE-2024-9401
Mozilla Foundation Security Advisory 2024-49
CVE: CVE-2024-9401
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 128.3
Mozilla
Mozilla Foundation Security Advisory 2024-47: CVE-2024-9401
vendor_mozilla·CVSS 9.8
CVE-2024-9401 [CRITICAL] Mozilla Foundation Security Advisory 2024-47: CVE-2024-9401
Mozilla Foundation Security Advisory 2024-47
CVE: CVE-2024-9401
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 128.3
Mozilla
Mozilla Foundation Security Advisory 2024-50: CVE-2024-9401
vendor_mozilla·CVSS 9.8
CVE-2024-9401 [CRITICAL] Mozilla Foundation Security Advisory 2024-50: CVE-2024-9401
Mozilla Foundation Security Advisory 2024-50
CVE: CVE-2024-9401
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 131
OSV
firefox vulnerabilities
osv·2024-10-07·CVSS 9.8
CVE-2024-9392 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-9392,
CVE-2024-9396, CVE-2024-9397, CVE-2024-9398, CVE-2024-9399, CVE-2024-9400,
CVE-2024-9401, CVE-2024-9402, CVE-2024-9403)
Masato Kinugawa discovered that Firefox did not properly validate
javascript under the "resource://pdf.js" origin. An attacker could
potentially exploit this issue to execute arbitrary javascript code and
access cross-origin PDF content. (CVE-2024-9393)
Masato Kinugawa discovered that Firefox did not properly validate
javascript under the "resource://devtools" origin. An
GHSA
GHSA-fc27-6qvc-xq94: Memory safety bugs present in Firefox 130, Firefox ESR 115
ghsa_unreviewed·2024-10-01
CVE-2024-9401 [CRITICAL] CWE-119 GHSA-fc27-6qvc-xq94: Memory safety bugs present in Firefox 130, Firefox ESR 115
Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
OSV
CVE-2024-9401: Memory safety bugs present in Firefox 130, Firefox ESR 115
osv·2024-10-01·CVSS 9.8
CVE-2024-9401 [CRITICAL] CVE-2024-9401: Memory safety bugs present in Firefox 130, Firefox ESR 115
Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2023-38575 kernel: Local information disclosure in some Intel(R) processors
bugzilla·2024-03-21·CVSS 5.5
CVE-2023-38575 [MEDIUM] CVE-2023-38575 kernel: Local information disclosure in some Intel(R) processors
CVE-2023-38575 kernel: Local information disclosure in some Intel(R) processors
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2270735]
---
"Intel is releasing a firmware update to mitigate this potential vulnerability."
And again, another microcode, not kernel.
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2024:9401 https://access.redhat.com/errata/RHSA-2024:9401
Bugzilla
CVE-2023-39368 kernel: Possible Denial of Service on Intel(R) Processors
bugzilla·2024-03-21·CVSS 6.5
CVE-2023-39368 [MEDIUM] CVE-2023-39368 kernel: Possible Denial of Service on Intel(R) Processors
CVE-2023-39368 kernel: Possible Denial of Service on Intel(R) Processors
Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2270736]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2024:9401 https://access.redhat.com/errata/RHSA-2024:9401
Bugzilla
CVE-2023-22655 kernel: local privilege escalation on Intel microcode on Intel(R) Xeon(R)
bugzilla·2024-03-21·CVSS 6.1
CVE-2023-22655 [MEDIUM] CVE-2023-22655 kernel: local privilege escalation on Intel microcode on Intel(R) Xeon(R)
CVE-2023-22655 kernel: local privilege escalation on Intel microcode on Intel(R) Xeon(R)
Protection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2270720]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2024:9401 https://access.redhat.com/errata/RHSA-2024:9401
Bugzilla
CVE-2023-43490 kernel: Local information disclosure on Intel(R) Xeon(R) D processors with Intel(R) SGX due to incorrect calculation in microcode
bugzilla·2024-03-21·CVSS 5.3
CVE-2023-43490 [MEDIUM] CVE-2023-43490 kernel: Local information disclosure on Intel(R) Xeon(R) D processors with Intel(R) SGX due to incorrect calculation in microcode
CVE-2023-43490 kernel: Local information disclosure on Intel(R) Xeon(R) D processors with Intel(R) SGX due to incorrect calculation in microcode
Incorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2270737]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2024:9401 https://access.redhat.com/errata/RHSA-2024:9401
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1872744%2C1897792%2C1911317%2C1916476https://www.mozilla.org/security/advisories/mfsa2024-46/https://www.mozilla.org/security/advisories/mfsa2024-47/https://www.mozilla.org/security/advisories/mfsa2024-48/https://www.mozilla.org/security/advisories/mfsa2024-49/https://www.mozilla.org/security/advisories/mfsa2024-50/https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html
2024-10-01
Published