Login Sign Up

CVE-2024-11704

9.8 CRITICAL

📋 TL;DR

A double-free vulnerability in Firefox and Thunderbird's PKCS7 decryption function could allow memory corruption when processing malformed encrypted data. Attackers could potentially execute arbitrary code or cause application crashes. All users of affected Firefox, Thunderbird, and Firefox ESR versions are vulnerable.

💻 Affected Systems

Products:
  • Firefox
  • Thunderbird
  • Firefox ESR
Versions: Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, Thunderbird ESR < 128.7
Operating Systems: Windows, Linux, macOS, All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. Requires processing of malicious PKCS7 data.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption that could be leveraged for further exploitation.

🟢

If Mitigated

Application crash with no data loss if sandboxing and other security controls prevent escalation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires delivering malicious PKCS7 data, potentially via web content or email. No public exploit code known at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 133+, Thunderbird 133+, Firefox ESR 128.7+, Thunderbird ESR 128.7+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-63/

Restart Required: Yes

Instructions:

1. Open browser/email client. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart application when prompted.

🔧 Temporary Workarounds

Disable PKCS7 processing

all

Block PKCS7 decryption functionality via enterprise policies or configuration

Not applicable - requires enterprise policy configuration

🧯 If You Can't Patch

  • Restrict web content to trusted sites only using content filtering
  • Disable automatic loading of external content in email clients

🔍 How to Verify

Check if Vulnerable:

Check application version in Help > About menu. If version is below patched versions listed, system is vulnerable.

Check Version:

firefox --version or thunderbird --version on Linux/macOS

Verify Fix Applied:

Confirm version is at or above Firefox 133, Thunderbird 133, Firefox ESR 128.7, or Thunderbird ESR 128.7.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory corruption errors
  • Unexpected termination of Firefox/Thunderbird processes

Network Indicators:

  • Inbound connections delivering encrypted content to browsers/email clients

SIEM Query:

source="firefox" OR source="thunderbird" AND (event_type="crash" OR error="double-free" OR error="memory corruption")

📊 Metadata

CVE ID: CVE-2024-11704
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-415
Published: November 26, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11704, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)
CVE-2023-49937 9.8

This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attacke...

Same vulnerability type (CWE-415)