CVE-2024-4777 : Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 1

Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Published 2024-05-14 17:21:25

Updated 2025-03-13 17:15:33

Source Mozilla Corporation

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Products affected by CVE-2024-4777

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox »
Versions before (<) 126.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Matching versions
Mozilla » Firefox » ESR Edition
Versions before (<) 115.11.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Matching versions
Mozilla » Thunderbird
Versions before (<) 115.11.0
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-4777

EPSS FAQ

0.61%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 68 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-4777

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H	1.6	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-03-13
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST	2025-01-22
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	N/A	N/A	RedHat-CVE-2024-4777	2024-05-14
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2024-4777

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2024-4777

https://www.mozilla.org/security/advisories/mfsa2024-23/

Security Vulnerabilities fixed in Thunderbird 115.11 — Mozilla
Vendor Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html

[SECURITY] [DLA 3815-1] firefox-esr security update
Mailing List

CVEs referencing this url
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1878199%2C1893340

Bug List
Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-22/

Security Vulnerabilities fixed in Firefox ESR 115.11 — Mozilla
Vendor Advisory

CVEs referencing this url
https://www.mozilla.org/security/advisories/mfsa2024-21/

Security Vulnerabilities fixed in Firefox 126 — Mozilla
Vendor Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html

[SECURITY] [DLA 3817-1] thunderbird security update
Mailing List

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-4777

Products affected by CVE-2024-4777

Exploit prediction scoring system (EPSS) score for CVE-2024-4777

CVSS scores for CVE-2024-4777

CWE ids for CVE-2024-4777

References for CVE-2024-4777