CVE-2024-7652

Published: Sep 6, 2024Modified: Apr 4, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Affected (4)

Products: Mozilla: Firefox, Thunderbird

2 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 128.0
Mozilla Firefox	Before 115.13.0
Mozilla Thunderbird	Before 115.13.0
Mozilla Thunderbird	From 116.0 to 128.0

Related CWEs

NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

References (6)

https://bugzilla.mozilla.org/show_bug.cgi?id=1901411

Source: security@mozilla.org

Issue Tracking

https://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r

Source: security@mozilla.org

Third Party Advisory

https://www.mozilla.org/security/advisories/mfsa2024-29/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-30/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-31/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-32/

Source: security@mozilla.org

Vendor Advisory

Timeline

No history available yet.