CVE-2024-29943
Published: 22 March 2024
Summary
CVE-2024-29943 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-29943 is an out-of-bounds read or write vulnerability affecting JavaScript objects in Firefox versions prior to 124.0.1. The flaw stems from incorrect elimination of range-based bounds checks, which permits memory access beyond the intended object boundaries and is tracked under CWE-125 and CWE-787. It carries a CVSS 3.1 score of 9.8, reflecting network-exploitable conditions with no required authentication or user interaction.
An unauthenticated remote attacker can trigger the issue by serving malicious JavaScript that reaches the flawed bounds-check logic, resulting in arbitrary memory corruption. Successful exploitation can yield full confidentiality, integrity, and availability impact, including the potential for remote code execution within the browser process.
Mozilla’s advisory MFSA2024-15 and the corresponding Bugzilla entry 1886849 indicate that the vulnerability is resolved in Firefox 124.0.1; users are advised to apply the update immediately. The referenced oss-security postings reiterate the same patch guidance for affected Mozilla products.
The associated EPSS score currently stands at 0.5386 with a recorded peak of 0.5737, indicating sustained moderate-to-high exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26917
Vulnerability details
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.