Arbitrary Memory Manipulation Flaw in Apple GPU Driver Affecting Mozilla Applications
CVE-2024-11691

Currently unrated

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 26 November 2024

Summary

A flaw has been discovered in the GPU driver for Apple M series devices that can lead to arbitrary memory manipulation through certain WebGL operations. This vulnerability primarily affects Mozilla applications including Firefox and Thunderbird running on Apple silicon, permitting potentially malicious actors to exploit the memory corruption risk. Users of affected Firefox and Thunderbird versions should update to the latest releases to mitigate this risk and ensure their data remains secure. Other platforms remain unaffected by this issue.

Affected Version(s)

Firefox < 133

Firefox ESR < 128.5

Firefox ESR < 115.18

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1914707

https://bugzilla.mozilla.org/show_bug.cgi?id=1924184

https://www.mozilla.org/security/advisories/mfsa2024-63/

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Nov 25, 2024

Credit

Dohyun Lee (@l33d0hyun) of USELab, Korea University & Youngho Choi of CEL, Korea University & Geumhwan Cho of USELab, Korea University