Mozilla Firefox Crashes Due to Initiating Specially Crafted WebTransport Session
CVE-2024-9399

7.5HIGH

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 1 October 2024

Summary

A vulnerability exists in the Firefox and Thunderbird applications that allows a specially crafted WebTransport session to crash the application process. This incident results in a denial of service, potentially leaving users unable to access their browsers or email clients. The affected versions include all Firefox versions prior to 131 and all Thunderbird versions prior to 128.3. Users are encouraged to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

Firefox < 131

Firefox ESR < 128.3

Thunderbird < 128.3

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1907726

https://www.mozilla.org/security/advisories/mfsa2024-46/

https://www.mozilla.org/security/advisories/mfsa2024-47/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 1, 2024
Vulnerability Reserved
Oct 1, 2024

Credit

Marten Richter