CVE-2024-7520

Published: Aug 6, 2024Modified: Mar 24, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.

Affected (3)

Products: Mozilla: Firefox, Firefox Esr, Thunderbird

3 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 129.0
Mozilla Firefox Esr	Before 128.1.0
Mozilla Thunderbird	Before 128.1.0

Related CWEs

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://bugzilla.mozilla.org/show_bug.cgi?id=1903041

Source: security@mozilla.org

Issue TrackingPermissions Required

https://www.mozilla.org/security/advisories/mfsa2024-33/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-35/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-37/

Source: security@mozilla.org

Vendor Advisory

Timeline

No history available yet.