CRITICAL🇵🇱 Wersja polska

CVE-2024-11704

CVSS 9.8v3.1pub. 2024-11-26upd. 2025-11-03

A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7.

🤖 AI Analysis
How it works

In the `sec_pkcs7_decoder_start_decrypt()` function handling the error path in symmetric encryption, the same symmetric key may be freed from memory twice (double-free). Such double freeing of the same memory area leads to heap corruption. An attacker could potentially exploit this state to take control of program execution by crafting a specially constructed message or content that triggers the incorrect code path.

Impact

Successful exploitation of this vulnerability may lead to arbitrary code execution (RCE) in the context of the browser or mail client process, as well as disclosure of sensitive data or destabilization of application functionality.

Mitigation & patch

Firefox should be updated immediately to version 133 or newer (for ESR branch to version 128.7 or newer) and Thunderbird to version 133 or newer (for ESR branch to version 128.7 or newer). Details available in Mozilla security advisories: mfsa2024-63, mfsa2024-67, mfsa2025-09, mfsa2025-10.

Who is affected

Mozilla Firefox versions below 133, Mozilla Firefox ESR versions below 128.7, Mozilla Thunderbird versions below 133, and Mozilla Thunderbird ESR versions below 128.7.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 128.7.0< 133.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 128.7.0129.0 – 133.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...