Cyber Resilience

CVE-2024-0741

Medium

Published: 23 January 2024

Published
23 January 2024
Modified
30 May 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.4728 97.8th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0741 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Mozilla Firefox. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-0741 is an out-of-bounds write vulnerability in the ANGLE graphics library that can corrupt memory and trigger a potentially exploitable crash. It affects Firefox versions prior to 122, Firefox ESR versions prior to 115.7, and Thunderbird versions prior to 115.7. The flaw carries a CVSS 3.1 score of 6.5 with network attack vector, low complexity, and high impact on availability.

An attacker can exploit the issue by serving specially crafted web content that triggers the out-of-bounds write when rendered in a vulnerable browser or email client. Successful exploitation requires user interaction such as visiting a malicious page or opening a malicious message, after which memory corruption may occur without further privileges.

Mozilla advisories MFSA2024-01 and MFSA2024-02, along with corresponding Debian LTS announcements, direct users to upgrade to the fixed releases Firefox 122, Firefox ESR 115.7, or Thunderbird 115.7. The referenced Mozilla bug report provides additional technical detail on the root cause and the applied correction.

The EPSS score has remained near 0.49 with no material rise from a low baseline after disclosure.

EU & UK References

Vulnerability details

An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 122.0
mozilla
firefox esr
≤ 115.7
mozilla
thunderbird
≤ 115.7
debian
debian linux
10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References