9.8
CVE-2024-11704
- EPSS 0.92%
- Veröffentlicht 26.11.2024 14:15:19
- Zuletzt bearbeitet 03.11.2025 21:16:04
- Quelle security@mozilla.org
- CVE-Watchlists
- Unerledigt
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mozilla ≫ Thunderbird Version < 128.7.0
Mozilla ≫ Thunderbird Version >= 129.0 < 133.0
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.92% | 0.555 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-415 Double Free
The product calls free() twice on the same memory address.
https://www.mozilla.org/security/advisories/mfsa2024-63/
https://www.mozilla.org/security/advisories/mfsa2024-67/
https://bugzilla.mozilla.org/show_bug.cgi?id=1899402
https://www.mozilla.org/security/advisories/mfsa2025-09/
https://www.mozilla.org/security/advisories/mfsa2025-10/
https://lists.debian.org/debian-lts-announce/2025/02/msg00005.html
https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html