Skip to content

Mozilla Firefox use-after-free zero-day vulnerability fixed

  • by
  • 2 min read

Mozilla has issued an urgent security update for its Firefox browser, targeting a critical vulnerability actively exploited in the wild. The flaw, CVE-2024-9680, relates to a use-after-free bug in the browser’s animation timeline management.

This vulnerability allows attackers to leverage freed memory, inserting malicious code that could lead to remote code execution. In this case, the flaw resides in Firefox’s Web Animations API, which synchronises animations on web pages.

Mozilla confirmed that attackers have already been exploiting this flaw to execute code within the content process, posing a serious threat to users.

In its security bulletin, Mozilla stated, “An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.”

CVE-2024-9680 impacts Firefox’s standard and extended support releases (ESR). Mozilla is urging users to upgrade to the following versions to mitigate the risk immediately:

  • Firefox 131.0.2
  • Firefox ESR 115.16.1
  • Firefox ESR 128.3.1

Given the vulnerability’s nature and confirmed exploitation, upgrading to the latest version is crucial for all users. The update process is straightforward: users can navigate to the browser’s Settings menu, select Help, and click on About Firefox to trigger an automatic update. A restart will apply the new fixes.

Mozilla has not disclosed specific details on how attackers target victims or which groups are behind these attacks; the active nature of the exploitation elevates the need for immediate action.

The vulnerability allows malicious actors to execute code within Firefox, which could compromise systems and lead to broader security breaches.

This is only the second time Mozilla has had to address a zero-day vulnerability in Firefox this year, reports BleepingComputer. In March 2024, the company patched two critical vulnerabilities — CVE-2024-29943 and CVE-2024-29944 — after they were demonstrated during the Pwn2Own Vancouver hacking competition.

In the News: Star Health confirms data breach weeks after cyberattack

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>