Cyber Resilience

CVE-2024-29943

Critical

Published: 22 March 2024

Published
22 March 2024
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5386 98.1th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29943 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-29943 is an out-of-bounds read or write vulnerability affecting JavaScript objects in Firefox versions prior to 124.0.1. The flaw stems from incorrect elimination of range-based bounds checks, which permits memory access beyond the intended object boundaries and is tracked under CWE-125 and CWE-787. It carries a CVSS 3.1 score of 9.8, reflecting network-exploitable conditions with no required authentication or user interaction.

An unauthenticated remote attacker can trigger the issue by serving malicious JavaScript that reaches the flawed bounds-check logic, resulting in arbitrary memory corruption. Successful exploitation can yield full confidentiality, integrity, and availability impact, including the potential for remote code execution within the browser process.

Mozilla’s advisory MFSA2024-15 and the corresponding Bugzilla entry 1886849 indicate that the vulnerability is resolved in Firefox 124.0.1; users are advised to apply the update immediately. The referenced oss-security postings reiterate the same patch guidance for affected Mozilla products.

The associated EPSS score currently stands at 0.5386 with a recorded peak of 0.5737, indicating sustained moderate-to-high exploitation interest following disclosure.

EU & UK References

Vulnerability details

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 124.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References