CVE-2024-29944

ENISA EUVD: EUVD-2024-26918 ↗
✓ Confirmed 0-Day
Triaged: March 5, 2026 3 articles Published: 2024-03-22
VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-23
1.41%
probability
This CVE has a 1.41% probability of being exploited in the next 30 days.
0% Top 80.7th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)
8.4
HIGH
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)
An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1.

Affected Products

Mozilla
Firefox
unspecified
Mozilla
Firefox ESR
unspecified

Attack Intelligence

Signal Intelligence

Confidence
92%
EPSS 1.41%
CVSS v3.1 8.4
Mentions 3
Last Seen May 19, 2025

CNA Information

CNA Assigner
mozilla

Analyst Note

CVE-2024-29944 was patched in Firefox 124.0.1 (released March 22, 2024) and explicitly identified as a zero-day actively exploited in attacks by BleepingComputer. Additional evidence indicates exploitation at Pwn2Own, a major security conference where zero-days are demonstrated before public disclosure. The timing aligns with publication and patch release.

Triage Info

Decided atMar 05, 2026
Published DateMar 22, 2024