Cyber Resilience

CVE-2024-9680

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 09 October 2024

Published
09 October 2024
Modified
04 November 2025
KEV Added
15 October 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3081 96.8th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9680 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2024-9680 is a use-after-free vulnerability in Animation timelines that permits code execution inside the content process. It affects Firefox versions prior to 131.0.2, Firefox ESR versions prior to 128.3.1 and 115.16.1, and Thunderbird versions prior to 131.0.1, 128.3.1, and 115.16.0.

An unauthenticated remote attacker can trigger the flaw over the network with no user interaction required, resulting in arbitrary code execution inside the browser content process. The issue carries a CVSS 3.1 score of 9.8.

Mozilla security advisories MFSA2024-51 and MFSA2024-52 describe the patches that update the listed products to corrected versions; corresponding updates are also referenced in FreeBSD and Microsoft security bulletins.

The vulnerability has been reported as exploited in the wild. Its EPSS score reached a peak of 0.3554 with a current value of 0.3081.

EU & UK References

Vulnerability details

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR <…

more

128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

CWE(s)
KEV Date Added
15 October 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 115.16.1 · ≤ 131.0.2 · 128.1.0 — 128.3.1
mozilla
thunderbird
131.0 · ≤ 115.16.0 · 128.0.1 — 128.3.1
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches to eliminate the use-after-free flaw in Animation timelines before exploitation occurs.

prevent

Memory-protection mechanisms can block or contain use-after-free accesses that lead to arbitrary code execution in the content process.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes mobile code (e.g., scripts driving animations) that an attacker could leverage to trigger the vulnerability.

References