Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-10466

CVE-2024-10466: Mozilla Firefox DOS Vulnerability

CVE-2024-10466 is a denial of service flaw in Mozilla Firefox that allows remote servers to hang the browser through crafted push messages. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-10466 Overview

CVE-2024-10466 is a denial of service vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird. A remote server can send a specially crafted push message that hangs the browser's parent process. The hang renders the application unresponsive and requires user intervention to recover.

The flaw is categorized under [CWE-400] Uncontrolled Resource Consumption. Mozilla addressed the issue in Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, and Thunderbird 132. Attackers can trigger the condition over the network without authentication or user interaction, making the vulnerability trivial to weaponize against exposed browser instances.

Critical Impact

A remote attacker can render Firefox or Thunderbird unresponsive by sending a single malformed push message, disrupting user workflows and email communications.

Affected Products

  • Mozilla Firefox versions prior to 132
  • Mozilla Firefox ESR versions prior to 128.4
  • Mozilla Thunderbird versions prior to 128.4 and prior to 132

Discovery Timeline

  • 2024-10-29 - CVE-2024-10466 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-10466

Vulnerability Analysis

The vulnerability resides in the Web Push message handling logic of the Firefox/Thunderbird parent process. Web Push is a browser feature that allows servers to deliver asynchronous notifications to clients through the Mozilla Push Service. When the parent process receives a malformed or specially crafted push payload, the processing routine enters a state that hangs the entire process.

Because Firefox uses a multi-process architecture where the parent process orchestrates child renderer processes, a hang in the parent freezes the entire browser. Tabs become unresponsive, the UI does not redraw, and the user cannot interact with the application. Thunderbird shares the underlying Gecko platform and inherits the same defect, affecting email reception and the integrated chat features.

The issue does not corrupt memory or grant code execution. Impact is limited to availability, but the network-reachable attack vector makes the flaw practical for harassment, productivity disruption, or as a component in a larger attack chain.

Root Cause

The root cause is uncontrolled resource consumption in push message parsing, tracked in Mozilla Bug 1924154. The parent process fails to bound the resources or processing time consumed when handling certain push message structures, leading to a hang condition.

Attack Vector

An attacker controls or compromises a server registered as a push origin for a victim's browser. The attacker then sends a crafted push message through the Mozilla Push Service to the victim's client. No user interaction is required beyond having previously subscribed to push notifications from any site the attacker can influence. The malformed payload reaches the parent process and triggers the hang.

No verified exploit code is publicly available. Technical details are described in the Mozilla Bug Report #1924154 and the corresponding Mozilla Security Advisory MFSA-2024-55.

Detection Methods for CVE-2024-10466

Indicators of Compromise

  • Firefox or Thunderbird processes becoming unresponsive shortly after receiving network traffic from updates.push.services.mozilla.com or related push endpoints.
  • Repeated user reports of browser freezes correlating with push notification activity from a specific origin.
  • Process monitoring showing high wall-clock time with low CPU activity in the Firefox or Thunderbird parent process.

Detection Strategies

  • Inventory installed Firefox, Firefox ESR, and Thunderbird versions across endpoints and flag any builds older than the fixed releases.
  • Monitor application crash and hang telemetry from endpoint logs for Firefox and Thunderbird processes.
  • Correlate browser hang events with network connections to push service endpoints to identify potentially abusive origins.

Monitoring Recommendations

  • Track software version compliance using endpoint management or vulnerability scanning tools and alert on outdated Mozilla products.
  • Enable verbose logging for the Web Push subsystem during incident response to capture the originating push subscription.
  • Review subscribed push origins on critical workstations and remove subscriptions from untrusted or unnecessary domains.

How to Mitigate CVE-2024-10466

Immediate Actions Required

  • Update Firefox to version 132 or later and Firefox ESR to 128.4 or later on all endpoints.
  • Update Thunderbird to version 128.4 or 132 or later across all mail clients.
  • Audit deployed Mozilla products with software inventory tools and prioritize remediation for internet-facing or high-value users.

Patch Information

Mozilla released fixes in Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, and Thunderbird 132. Refer to Mozilla Security Advisory MFSA-2024-55, MFSA-2024-56, MFSA-2024-58, and MFSA-2024-59. Debian users should apply updates noted in the Debian LTS Announcement October 2024 and the Debian LTS Announcement November 2024.

Workarounds

  • Disable Web Push notifications by setting dom.push.enabled to false in about:config until patches are deployed.
  • Revoke push notification permissions from non-essential sites under Settings, Privacy & Security, Permissions, Notifications.
  • Block outbound connections to push service endpoints at the network perimeter for environments that do not require browser push notifications.
bash
# Disable Web Push via enterprise policy (policies.json)
{
  "policies": {
    "Preferences": {
      "dom.push.enabled": {
        "Value": false,
        "Status": "locked"
      }
    }
  }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.