CVE-2024-3861: Use After Free
Published Apr 16, 2024
·Updated
If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free.
Affected Software
12 affected componentsFixes available
redhat/firefox<115.10
115.10
redhat/thunderbird<115.10
115.10
Mozilla Thunderbird<115.10
115.10
Mozilla Firefox<125
125
Mozilla Firefox ESR<115.10
115.10
Mozilla Firefox<115.0
Mozilla Firefox<125.0
Mozilla Thunderbird<115.0
Debian Debian Linux=10.0
debian/firefox
138.0.1-1
debian/firefox-esr
115.14.0esr-1~deb11u1128.9.0esr-1~deb11u1128.8.0esr-1~deb12u1128.10.0esr-1~deb12u1128.9.0esr-2128.10.0esr-1
debian/thunderbird
1:115.12.0-1~deb11u11:128.10.0esr-1~deb11u11:128.8.0esr-1~deb12u11:128.10.0esr-1~deb12u11:128.9.0esr-11:128.10.0esr-1
Event History
Apr 16, 2024
CVE Published
via Mozilla·12:00 AM
CVE Published
via MITRE·03:14 PM
Data Sourced
via MITRE·03:14 PM
DescriptionWeakness
Apr 17, 2024
Data Sourced
via Red Hat·03:17 PM
DescriptionSeverityAffected Software
May 2, 2024
Data Sourced
via Launchpad·07:33 AM
Description
Sep 15, 2024
Data Sourced
via Ubuntu·07:53 AM
RemedyDescriptionSeverityAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
Frequently Asked Questions
1
What is the severity of CVE-2024-3861?
CVE-2024-3861 has been categorized as a medium severity vulnerability.
2
How do I fix CVE-2024-3861?
To fix CVE-2024-3861, upgrade affected software to the specified versions, such as Firefox 115.10 or newer.
3
What software is affected by CVE-2024-3861?
CVE-2024-3861 affects versions of Firefox, Thunderbird, and Firefox ESR up to 115.10.
4
What risks are associated with CVE-2024-3861?
CVE-2024-3861 can lead to use-after-free vulnerabilities, possibly allowing an attacker to execute arbitrary code.
5
Is there a workaround for CVE-2024-3861?
Currently, upgrading to the fixed versions is the recommended resolution for CVE-2024-3861, with no known workarounds.