CVE-2024-8381
Published: 03 September 2024
Summary
CVE-2024-8381 is a critical-severity Type Confusion (CWE-843) vulnerability in Mozilla Firefox Esr. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-8381 is a type confusion vulnerability (CWE-843) that can be triggered when performing a property name lookup on an object used as the `with` environment in the JavaScript engine. It affects Firefox versions prior to 130, Firefox ESR versions prior to 128.2 and 115.15, and Thunderbird versions prior to 128.2 and 115.15.
An unauthenticated remote attacker can exploit the flaw over the network by serving malicious web content or email that causes the browser or client to perform the unsafe lookup, resulting in arbitrary code execution with full impact to confidentiality, integrity, and availability.
Mozilla security advisories MFSA2024-39, MFSA2024-40, MFSA2024-41, and MFSA2024-43, along with the associated Bugzilla entry, direct users to upgrade to the fixed releases to eliminate the issue.
The EPSS score has remained in the 0.11–0.12 range with only a modest peak, indicating moderate but not rapidly escalating exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49137
Vulnerability details
A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2,…
more
and Thunderbird < 115.15.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.