Login Sign Up

CVE-2024-3854

8.8 HIGH

📋 TL;DR

This vulnerability in Mozilla's JavaScript JIT compiler incorrectly optimizes switch statements, leading to out-of-bounds memory reads. It affects Firefox, Firefox ESR, and Thunderbird users running vulnerable versions. Attackers could exploit this to read sensitive memory contents or potentially achieve remote code execution.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 125, Firefox ESR < 115.10, Thunderbird < 115.10
Operating Systems: All platforms where affected versions run
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. No special settings required for exploitation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or installation of persistent malware.

🟠

Likely Case

Information disclosure through memory reads, potentially exposing sensitive data like passwords, cookies, or session tokens.

🟢

If Mitigated

Limited impact if sandboxing works correctly, potentially just a browser crash or denial of service.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires JavaScript execution, which is standard in web browsing. No authentication needed as it can be triggered via malicious web content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 125+, Firefox ESR 115.10+, Thunderbird 115.10+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-18/

Restart Required: Yes

Instructions:

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by blocking JavaScript execution, which is required to trigger the vulnerability.

Use alternative browser

all

Temporarily switch to a non-vulnerable browser until patches are applied.

🧯 If You Can't Patch

  • Restrict web browsing to trusted sites only
  • Implement network segmentation to limit browser access to sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check application version in Help > About Firefox/Thunderbird. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Verify version is Firefox 125+, Firefox ESR 115.10+, or Thunderbird 115.10+ after update.

📡 Detection & Monitoring

Log Indicators:

  • Browser crash reports
  • Unexpected memory access errors in system logs

Network Indicators:

  • Suspicious JavaScript delivery to browsers

SIEM Query:

source="browser_logs" AND (event="crash" OR event="memory_error")

📊 Metadata

CVE ID: CVE-2024-3854
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: April 16, 2024
Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3854, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)