CVE-2024-4775 – A missing iterator stop condition in Firefox's ... (How to Fix)

Q: How do I fix CVE-2024-4775?

1. Open Firefox 2. Click menu → Help → About Firefox 3. Allow automatic update to complete 4. Restart Firefox when prompted

Q: What is the severity of CVE-2024-4775?

CVE-2024-4775 has a CVSS score of 5.9 (MEDIUM). A missing iterator stop condition in Firefox's built-in profiler when handling WASM code could lead to invalid memory access and undefined behavior. This vulnerability only affects Firefox versions before 126 when the profiler is running. Attackers could potentially exploit this to cause crashes or execute arbitrary code.

📋 TL;DR

A missing iterator stop condition in Firefox's built-in profiler when handling WASM code could lead to invalid memory access and undefined behavior. This vulnerability only affects Firefox versions before 126 when the profiler is running. Attackers could potentially exploit this to cause crashes or execute arbitrary code.

💻 Affected Systems

Products:

Mozilla Firefox

Versions: All versions < 126

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when the built-in profiler is running. Profiler is not enabled by default in standard Firefox installations.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to unstable behavior

🟢

If Mitigated

No impact if profiler is disabled or Firefox is updated

🌐 Internet-Facing: MEDIUM - Requires user interaction (visiting malicious site) and profiler enabled

🏢 Internal Only: LOW - Same requirements as internet-facing, no special internal exposure

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the profiler to be active and user to visit malicious website. No public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 126 and later

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-21/

Restart Required: Yes

Instructions:

1. Open Firefox 2. Click menu → Help → About Firefox 3. Allow automatic update to complete 4. Restart Firefox when prompted

🔧 Temporary Workarounds

Disable Profiler

all

Prevent exploitation by disabling the built-in profiler

about:config → set devtools.performance.enabled to false

🧯 If You Can't Patch

Disable the built-in profiler via about:config settings
Use Firefox in safe mode or with profiler-related features disabled

🔍 How to Verify

Check if Vulnerable:

Check Firefox version: about:support → Application Basics → Version. If version < 126, system is vulnerable when profiler is enabled.

Check Version:

firefox --version (Linux/macOS) or check About Firefox in GUI

Verify Fix Applied:

Verify Firefox version is 126 or higher via about:support. Check profiler status in about:config (devtools.performance.enabled).

📡 Detection & Monitoring

Log Indicators:

Firefox crash reports with profiler-related stack traces
Unexpected memory access errors in system logs

Network Indicators:

Unusual WASM module loads from untrusted sources
Profiler data being sent to external servers

SIEM Query:

source="firefox" AND (event="crash" OR error="memory_access") AND component="profiler"

📊 Metadata

CVE ID: CVE-2024-4775

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-431

Published: May 14, 2024

Last Updated: April 1, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1887332 Exploit,Issue Tracking,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-21/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1887332 Exploit,Issue Tracking,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-21/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON