CVE-2024-11705

CVSS 3.1 Score 9.1 of 10 (high)

Details

Published Nov 26, 2024
Updated: Nov 27, 2024
CWE ID 476

Summary

CVE-2024-11705 is a vulnerability affecting Firefox version 132 and earlier, as well as Thunderbird version 132 and below. It stems from an issue in `NSC_DeriveKey` function, where it erroneously assumed that the `phKey` parameter is always non-NULL. Contrary to the PKCS#11 v3.0 specification, `phKey` can be passed as NULL for certain mechanisms. Consequently, when the function encounters a NULL `phKey` value, it causes a segmentation fault (SEGV), leading to crashes.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • Mozilla Thunderbird
  • Mozilla Firefox

Affected Vendors

  • Mozilla