CVE-2024-9680

ENISA EUVD: EUVD-2024-50087 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 6 articles Published: 2024-10-09

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

30.81%

probability

This CVE has a 30.81% probability of being exploited in the next 30 days.

0% Top 96.8th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

Affected Products

Mozilla

Firefox

unspecified

Mozilla

Firefox ESR

unspecified

Mozilla

Firefox ESR

unspecified

Mozilla

Thunderbird

unspecified

Mozilla

Thunderbird

unspecified

mozilla

firefox

mozilla

thunderbird

debian

debian linux

Mozilla

Thunderbird

unspecified <131.0.1

Mozilla

Firefox ESR

unspecified <128.3.1

Mozilla

Thunderbird

unspecified <128.3.1

Mozilla

Firefox

unspecified <131.0.2

Mozilla

Thunderbird

unspecified <115.16.0

Mozilla

Firefox ESR

unspecified <115.16.1

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-416 · Use After Free CWE-664 · Improper Control of a Resource Through its Lifetime CWE-666 · Operation on Resource in Wrong Phase of Lifetime CWE-672 · Operation on a Resource after Expiration or Release CWE-825 · Expired Pointer Dereference

Google Project Zero

Patched

Oct. 9, 2024

Reported by

Damien Schaeffer from ESET

Root Cause Analysis

???

Exploits & PoC

tdonaworth/Firefox-CVE-2024-9680

11 2024-10-17

moscovium-mc/Tor-0day-JavaScript-Exploit

Firefox/Tor Browser 0day exploit analysis (CVE-2024-9680) A UAF in animation timelines leading to RCE. Patched.

10 2025-12-05

2 repos — triés par ⭐ Rechercher sur GitHub ↗

https://bugzilla.mozilla.org/show_bug.cgi?id=1923344

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039

https://www.mozilla.org/security/advisories/mfsa2024-51/

https://www.mozilla.org/security/advisories/mfsa2024-52/

Signal Intelligence

Confidenceⓘ

95%

EPSS 30.81%

CVSS v3.1 9.8

Mentions 6

Last Seen Nov 26, 2024

CNA Information

CNA Assigner

mozilla

Analyst Note

CVE-2024-9680 is a critical use-after-free vulnerability in Firefox with a CVSS score of 9.8, confirmed active exploitation in the wild by threat actors including Russian RomCom hackers, and documented by reputable sources including BleepingComputer and CERT-EU. Mozilla has issued patches across multiple affected versions (Firefox, Firefox ESR, and Thunderbird), validating the vulnerability's authenticity and severity.