CVE-2024-0741
Published: 23 January 2024
Summary
CVE-2024-0741 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Mozilla Firefox. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-0741 is an out-of-bounds write vulnerability in the ANGLE graphics library that can corrupt memory and trigger a potentially exploitable crash. It affects Firefox versions prior to 122, Firefox ESR versions prior to 115.7, and Thunderbird versions prior to 115.7. The flaw carries a CVSS 3.1 score of 6.5 with network attack vector, low complexity, and high impact on availability.
An attacker can exploit the issue by serving specially crafted web content that triggers the out-of-bounds write when rendered in a vulnerable browser or email client. Successful exploitation requires user interaction such as visiting a malicious page or opening a malicious message, after which memory corruption may occur without further privileges.
Mozilla advisories MFSA2024-01 and MFSA2024-02, along with corresponding Debian LTS announcements, direct users to upgrade to the fixed releases Firefox 122, Firefox ESR 115.7, or Thunderbird 115.7. The referenced Mozilla bug report provides additional technical detail on the root cause and the applied correction.
The EPSS score has remained near 0.49 with no material rise from a low baseline after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16530
Vulnerability details
An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.