Login Sign Up

CVE-2024-8384

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

A critical memory corruption vulnerability in Mozilla's JavaScript garbage collector could allow attackers to execute arbitrary code or cause denial of service. This affects Firefox, Firefox ESR, and Thunderbird when specific out-of-memory conditions occur during garbage collection passes. All users of affected versions are at risk.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2, Thunderbird < 115.15
Operating Systems: All platforms supported by affected applications
Default Config Vulnerable: ⚠️ Yes
Notes: All standard installations are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser/application crash (denial of service) or limited memory corruption allowing information disclosure.

🟢

If Mitigated

No impact if patched; limited impact if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Web browsers process untrusted content from the internet, making exploitation trivial via malicious websites.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal sites, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires triggering specific OOM conditions during garbage collection, which may be challenging but feasible for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 130, Firefox ESR 128.2, Firefox ESR 115.15, Thunderbird 128.2, Thunderbird 115.15

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-39/

Restart Required: Yes

Instructions:

1. Open the affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow the application to check for and install updates. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, but breaks most web functionality.

about:config > javascript.enabled = false

🧯 If You Can't Patch

  • Restrict access to untrusted websites and email content
  • Deploy application control to block execution of vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check application version against affected versions list.

Check Version:

Firefox/Thunderbird: about:support or Help > About

Verify Fix Applied:

Confirm version is equal to or greater than patched versions.

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs with memory corruption signatures
  • Unexpected process termination

Network Indicators:

  • Traffic to known malicious domains hosting exploit code

SIEM Query:

source="firefox.log" OR source="thunderbird.log" AND (event="crash" OR event="segfault")

📊 Metadata

CVE ID: CVE-2024-8384
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: September 3, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8384, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)