NVD - CVE-2024-9680 - NFHN Reader

Description

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST CVSS score

NIST: NVD

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST CVSS score

NIST: NVD

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

Vulnerability Name	Date Added	Due Date	Required Action
Mozilla Firefox Use-After-Free Vulnerability	10/15/2024	11/05/2024	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-416	Use After Free	NIST CISA-ADP

Known Affected Software Configurations Switch to CPE 2.2

Change History

14 change records found show changes

Modified Analysis by NIST 11/04/2025 9:35:50 AM

Action	Type	Old Value	New Value
Added	Reference Type		CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9680 Types: US Government Resource
Added	Reference Type		CVE: https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html Types: Mailing List

Action

Type

Old Value

New Value

Added

Reference Type

CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9680 Types: US Government Resource

Added

Reference Type

CVE: https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html Types: Mailing List

CVE Modified by CVE 11/03/2025 6:17:34 PM

Action	Type	Old Value	New Value
Added	Reference		https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html

CVE Modified by CISA-ADP 10/21/2025 7:16:44 PM

Action	Type	Old Value	New Value
Added	Reference		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9680

CVE Modified by CISA-ADP 10/21/2025 4:20:23 PM

Action	Type	Old Value	New Value
Removed	Reference	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9680

CVE Modified by CISA-ADP 10/21/2025 3:21:03 PM

Action	Type	Old Value	New Value
Added	Reference		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9680

Modified Analysis by NIST 11/26/2024 2:53:56 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR cpe:2.3:o:debian:debian_linux:11.0:::::::
Changed	Reference Type	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281992 No Types Assigned	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281992 Issue Tracking
Changed	Reference Type	https://lists.debian.org/debian-lts-announce/2024/10/msg00005.html No Types Assigned	https://lists.debian.org/debian-lts-announce/2024/10/msg00005.html Mailing List
Changed	Reference Type	https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039 Not Applicable	https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039 Not Applicable, Patch, Vendor Advisory

CVE Modified by CVE 11/21/2024 4:54:39 AM

Action	Type	Old Value	New Value
Added	Reference		https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281992
Added	Reference		https://lists.debian.org/debian-lts-announce/2024/10/msg00005.html

Modified Analysis by NIST 11/19/2024 12:29:12 PM

Action	Type	Old Value	New Value
Changed	CPE Configuration	OR cpe:2.3:a:mozilla:firefox::::::::* versions up to (excluding) 131.0.2 cpe:2.3:a:mozilla:firefox_esr::::::::* versions up to (excluding) 115.16.1 cpe:2.3:a:mozilla:firefox_esr::::::::* versions from (including) 128.0 up to (excluding) 128.3.1 cpe:2.3:a:mozilla:thunderbird::::::::* versions up to (excluding) 115.16.0 cpe:2.3:a:mozilla:thunderbird::::::::* versions from (including) 128.0.1 up to (excluding) 128.3.1 cpe:2.3:a:mozilla:thunderbird:131.0:::::::	OR cpe:2.3:a:mozilla:firefox:::::esr::: versions up to (excluding) 115.16.1 cpe:2.3:a:mozilla:firefox:::::esr::: versions from (including) 128.1.0 up to (excluding) 128.3.1 cpe:2.3:a:mozilla:firefox:::::-::: versions up to (excluding) 131.0.2 cpe:2.3:a:mozilla:thunderbird::::::::* versions up to (excluding) 115.16.0 cpe:2.3:a:mozilla:thunderbird::::::::* versions from (including) 128.0.1 up to (excluding) 128.3.1 cpe:2.3:a:mozilla:thunderbird:131.0:::::::
Changed	Reference Type	https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039 No Types Assigned	https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039 Not Applicable

Action

Type

Old Value

New Value

Changed

CPE Configuration

OR
     *cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* versions up to (excluding) 131.0.2
     *cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:* versions up to (excluding) 115.16.1
     *cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:* versions from (including) 128.0 up to (excluding) 128.3.1
     *cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* versions up to (excluding) 115.16.0
     *cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* versions from (including) 128.0.1 up to (excluding) 128.3.1
     *cpe:2.3:a:mozilla:thunderbird:131.0:*:*:*:*:*:*:*

OR
     *cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* versions up to (excluding) 115.16.1
     *cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* versions from (including) 128.1.0 up to (excluding) 128.3.1
     *cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* versions up to (excluding) 131.0.2
     *cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* versions up to (excluding) 115.16.0
     *cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* versions from (including) 128.0.1 up to (excluding) 128.3.1
     *cpe:2.3:a:mozilla:thunderbird:131.0:*:*:*:*:*:*:*

Changed

Reference Type

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039 No Types Assigned

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039 Not Applicable

CVE Modified by Mozilla Corporation 11/18/2024 2:15:05 PM

Action	Type	Old Value	New Value
Added	Reference		Mozilla Corporation https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039 [No types assigned]

Initial Analysis by NIST 10/16/2024 11:07:36 AM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-416
Added	CPE Configuration		OR cpe:2.3:a:mozilla:firefox::::::::* versions up to (excluding) 131.0.2 cpe:2.3:a:mozilla:firefox_esr::::::::* versions up to (excluding) 115.16.1 cpe:2.3:a:mozilla:firefox_esr::::::::* versions from (including) 128.0 up to (excluding) 128.3.1 cpe:2.3:a:mozilla:thunderbird::::::::* versions up to (excluding) 115.16.0 cpe:2.3:a:mozilla:thunderbird::::::::* versions from (including) 128.0.1 up to (excluding) 128.3.1 cpe:2.3:a:mozilla:thunderbird:131.0:::::::
Changed	Reference Type	https://bugzilla.mozilla.org/show_bug.cgi?id=1923344 No Types Assigned	https://bugzilla.mozilla.org/show_bug.cgi?id=1923344 Issue Tracking, Permissions Required
Changed	Reference Type	https://www.mozilla.org/security/advisories/mfsa2024-51/ No Types Assigned	https://www.mozilla.org/security/advisories/mfsa2024-51/ Vendor Advisory
Changed	Reference Type	https://www.mozilla.org/security/advisories/mfsa2024-52/ No Types Assigned	https://www.mozilla.org/security/advisories/mfsa2024-52/ Vendor Advisory

CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 10/15/2024 9:00:02 PM

Action	Type	New Value
Added	Date Added	2024-10-15
Added	Due Date	2024-11-05
Added	Required Action	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Added	Vulnerability Name	Mozilla Firefox Use-After-Free Vulnerability

CVE Modified by Mozilla Corporation 10/11/2024 9:15:21 AM

Action	Type	Old Value	New Value
Changed	Description	An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1.	An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.
Added	Reference		Mozilla Corporation https://www.mozilla.org/security/advisories/mfsa2024-52/ [No types assigned]

Action

Type

Old Value

New Value

Changed

Description

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1.

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

Added

Reference

Mozilla Corporation https://www.mozilla.org/security/advisories/mfsa2024-52/ [No types assigned]

CVE Modified by CISA-ADP 10/09/2024 12:35:10 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added	CWE		CISA-ADP CWE-416

New CVE Received from Mozilla Corporation 10/09/2024 9:15:12 AM

Action	Type	New Value
Added	Description	An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1.
Added	Reference	Mozilla Corporation https://bugzilla.mozilla.org/show_bug.cgi?id=1923344 [No types assigned]
Added	Reference	Mozilla Corporation https://www.mozilla.org/security/advisories/mfsa2024-51/ [No types assigned]

Action

Type

Old Value

New Value

Added

Description

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1.

Added

Reference

Mozilla Corporation https://bugzilla.mozilla.org/show_bug.cgi?id=1923344 [No types assigned]

Added

Reference

Mozilla Corporation https://www.mozilla.org/security/advisories/mfsa2024-51/ [No types assigned]