CVE-2024-9680

CVE-2024-9680 is a critical-severity vulnerability in Mozilla Firefox with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-10-15). The underlying weakness is classified as CWE-416.

Key facts

Description

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

CVE-2024-9680: Critical Use-After-Free in Mozilla Firefox Animation Timelines

AI-generated analysis based on the vulnerability data on this page.

Summary

Mozilla addressed a critical use-after-free vulnerability (CVE-2024-9680) in the animation timeline implementation of Firefox and Thunderbird. The flaw enables an attacker to achieve code execution in the content process remotely without requiring user interaction. Mozilla has confirmed active exploitation of this vulnerability in the wild.

Background

Animation timelines in Firefox govern how web animations are scheduled, synchronized, and rendered. The Web Animations API and CSS animations rely on an internal timeline object that manages playback rates, current times, and target effects. When a timeline object is destroyed but a reference remains accessible elsewhere in the content process, subsequent access can trigger undefined behavior.

Root Cause

The vulnerability is classified as CWE-416: Use After Free. During the lifecycle of an animation timeline, the underlying object can be freed while other components in the content process still hold pointers to it. When those stale pointers are dereferenced—typically through JavaScript-driven animation manipulation or garbage-collection timing windows—the process accesses deallocated memory. In browser engines, use-after-free conditions in the content process are frequently exploitable for reliable code execution because the attacker controls the JavaScript heap and can spray objects to reclaim the freed region with attacker-controlled data.

Impact

The National Vulnerability Database assigns this flaw a CVSS 3.1 score of 9.8 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The metrics reflect:

  • Attack Vector (AV): Network – exploitable over the internet.
  • Attack Complexity (AC): Low – no special conditions or race windows are required.
  • Privileges Required (PR): None – the attacker needs no prior access.
  • User Interaction (UI): None – no user action is necessary.
  • Scope (S): Unchanged – the vulnerable component is the content process.
  • Confidentiality, Integrity, Availability (C/I/A): High – successful exploitation yields full control over the content process, enabling data exfiltration, arbitrary code execution, and denial of service.

Exploitation Walkthrough

This section is written from a defensive perspective and does not contain weaponized exploit code.

Exploitation typically follows a heap-manipulation pattern common to browser use-after-free bugs:

  1. Trigger the free: The attacker crafts a web page that creates and destroys animation timelines in a way that causes the internal timeline object to be freed while a reference persists.
  2. Reclaim the heap: Before the stale pointer is reused, the attacker forces the JavaScript engine to allocate objects of a similar size, filling the freed slot with attacker-controlled data.
  3. Gain primitive: When the browser dereferences the stale pointer, it operates on the attacker-controlled object instead of the legitimate timeline. This can provide a type-confusion or arbitrary-read primitive.
  4. Escalate: From the initial primitive, the attacker chains additional gadgets to achieve arbitrary code execution inside the sandboxed content process.

Ethics caveat: The details above are intentionally generic and describe the class of vulnerability rather than a reproducible exploit chain. Organizations should focus on patching and detection rather than attempting to recreate exploit code.

Affected and Patched Versions

Based on Mozilla security advisories and distributor errata, the following versions are affected:

  • Firefox: versions earlier than 131.0.2
  • Firefox ESR: versions earlier than 128.3.1
  • Firefox ESR (115.x): versions earlier than 115.16.1
  • Thunderbird: versions earlier than 131.0.1
  • Thunderbird ESR: versions earlier than 128.3.1
  • Thunderbird ESR (115.x): versions earlier than 115.16.0

Distributors including AlmaLinux, Debian, openSUSE, and SUSE have published patched packages.

Remediation

  1. Upgrade immediately: Apply the latest Firefox, Firefox ESR, Thunderbird, or Thunderbird ESR patch from Mozilla or your distribution vendor. The patched versions are:
    • Firefox 131.0.2 or later
    • Firefox ESR 128.3.1 or later
    • Firefox ESR 115.16.1 or later
    • Thunderbird 131.0.1 or later
    • Thunderbird ESR 128.3.1 or later
    • Thunderbird ESR 115.16.0 or later
  2. Compensating controls: If patching is not immediately possible, disable JavaScript execution in untrusted browsing contexts, block web content in electronic mail (Thunderbird), and restrict outbound connections from endpoints to reduce post-exploitation command-and-control opportunities.
  3. Restart after update: Ensure all browser processes are terminated and restarted; background updates may not take effect until the application restarts.

Detection

  • Endpoint detection: Monitor for unusual child processes spawned by firefox.exe or thunderbird.exe, especially PowerShell, cmd.exe, or binary downloads from temporary browser directories.
  • Network detection: Look for anomalous outbound connections from browser processes to unexpected domains, which may indicate post-exploitation beaconing.
  • Exploit kit telemetry: Several security vendors have reported this CVE being delivered via exploit kits and malvertising campaigns. Correlate EDR alerts with web-proxy logs for visits to suspicious landing pages.
  • Memory indicators: Advanced blue teams can instrument the browser with debugging or sandbox telemetry to detect heap-corruption events in the content process.

Assessment

  • EPSS: The Exploit Prediction Scoring System assigns CVE-2024-9680 a probability of 0.32568 (32.6%) with a percentile of 0.98132, placing it in the top ~2% of most likely exploited vulnerabilities.
  • Known Exploited: CISA added this CVE to the Known Exploited Vulnerabilities Catalog on 2024-10-15, five days after publication. It is also flagged as exploited in the EU vulnerability database.
  • Key lessons:
    1. Patch velocity matters: The gap between public disclosure (2024-10-09) and CISA KEV inclusion (2024-10-15) was only six days, underscoring how quickly attackers adopt high-impact browser bugs.
    2. Content-process isolation is not a panacea: While process sandboxing limits the blast radius, remote code execution in the content process still enables data theft, credential access, and lateral movement through phishing or drive-by downloads.

References

Frequently asked questions

What is CVE-2024-9680?
An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.
How severe is CVE-2024-9680?
CVE-2024-9680 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-9680 being actively exploited?
Yes. CVE-2024-9680 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-10-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-9680?
CVE-2024-9680 primarily affects Mozilla Firefox. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-9680?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-9680 have an EU (EUVD) identifier?
Yes. CVE-2024-9680 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-50087. It is also flagged as exploited in the EUVD (since 2024-10-15).
When was CVE-2024-9680 published?
CVE-2024-9680 was published on 2024-10-09 and last updated on 2026-06-17.

References

Affected products (5)

More vulnerabilities in Mozilla Firefox

All CVEs affecting Mozilla Firefox →

Other CWE-416 (Use After Free) vulnerabilities

Browse all CWE-416 (Use After Free) vulnerabilities →