CVE-2024-9680

high-risk

Published 2024-10-09

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

Do I need to act?

30.8% chance of exploitation in next 30 days

EPSS score — higher than 69% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (5)

Firefox

Thunderbird

Debian Linux

Affected Vendors

Debian Mozilla

References (8)

Issue Tracking https://bugzilla.mozilla.org/show_bug.cgi?id=1923344

Not Applicable https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039

Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2024-51/

Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2024-52/

Issue Tracking https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281992

Mailing List https://lists.debian.org/debian-lts-announce/2024/10/msg00005.html

Mailing List https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 23/34 · High

Exposure 12/34 · Low