⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.. Due date: 2024-11-05.
CVE-2024-9680 — Use After Free in Mozilla Firefox
Severity
9.8CRITICALNVD
EPSS
30.8%
top 3.27%
CISA KEV
KEVRansomware
Added 2024-10-15
Due 2024-11-05
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedOct 9
KEV addedOct 15
KEV dueNov 5
Latest updateAug 11
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages6 packages
Also affects: Debian Linux 11.0
Patches
🔴Vulnerability Details
4OSV▶
CVE-2024-9680: An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines↗2024-10-09
GHSA▶
GHSA-hm3j-qgpw-pj98: An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines↗2024-10-09
CVEList▶
CVE-2024-9680: An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines↗2024-10-09
📋Vendor Advisories
7Debian▶
CVE-2024-9680: firefox - An attacker was able to achieve code execution in the content process by exploit...↗2024