Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-11704

CVE-2024-11704: Mozilla Firefox Use-After-Free Vulnerability

CVE-2024-11704 is a use-after-free flaw in Mozilla Firefox that causes a double-free in sec_pkcs7_decoder_start_decrypt(), potentially leading to memory corruption. This post covers technical details, affected versions, and mitigations.

Updated:

CVE-2024-11704 Overview

CVE-2024-11704 is a double-free vulnerability in the Network Security Services (NSS) library used by Mozilla Firefox and Thunderbird. The flaw resides in the sec_pkcs7_decoder_start_decrypt() function when processing PKCS#7 encrypted data. Under specific error conditions, the same symmetric key can be freed twice, leading to memory corruption. The issue affects Firefox versions earlier than 133, Thunderbird versions earlier than 133, Firefox ESR earlier than 128.7, and Thunderbird earlier than 128.7. An attacker can deliver crafted PKCS#7 content over the network without user interaction or prior authentication.

Critical Impact

Successful exploitation can cause memory corruption in the browser or mail client process, potentially enabling arbitrary code execution within the affected application context.

Affected Products

  • Mozilla Firefox versions earlier than 133
  • Mozilla Firefox ESR versions earlier than 128.7
  • Mozilla Thunderbird versions earlier than 133 and earlier than 128.7

Discovery Timeline

  • 2024-11-26 - CVE-2024-11704 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-11704

Vulnerability Analysis

The vulnerability is classified as a double-free condition [CWE-415] in the PKCS#7 decoder path of NSS. The function sec_pkcs7_decoder_start_decrypt() manages a symmetric key used to decrypt enveloped PKCS#7 content. When the decoder encounters an error during the decryption setup, the cleanup logic releases the symmetric key buffer and an outer error handler releases the same buffer again. The duplicated free() corrupts heap metadata and leaves a dangling pointer in the allocator's internal structures.

Memory corruption arising from a double-free can be leveraged by attackers to manipulate heap layout, overwrite function pointers, or pivot to control of the instruction pointer. Because PKCS#7 parsing is invoked when handling signed or encrypted email content and certain web-delivered cryptographic objects, the attack surface extends to both Firefox and Thunderbird users.

Root Cause

The root cause is improper ownership tracking of the symmetric key allocation in the error-handling branch of sec_pkcs7_decoder_start_decrypt(). The function does not null the pointer after the first release, allowing a subsequent cleanup call to free the same memory region.

Attack Vector

An attacker delivers a malicious PKCS#7 structure to a target. In Thunderbird, this is achieved by sending a crafted S/MIME email message. In Firefox, the structure can be served through web content that triggers PKCS#7 decoding. No user interaction beyond opening the message or visiting the page is required.

No verified public proof-of-concept code is currently available. Technical details are described in the Mozilla Bug Report #1899402.

Detection Methods for CVE-2024-11704

Indicators of Compromise

  • Unexpected crashes of firefox.exe, thunderbird.exe, or their Linux equivalents with heap corruption signatures in crash dumps.
  • Inbound S/MIME messages containing malformed or unusual PKCS#7 enveloped data structures.
  • Browser or mail client processes spawning unexpected child processes shortly after rendering encrypted content.

Detection Strategies

  • Inventory endpoints and identify Firefox, Firefox ESR, and Thunderbird installations below the patched versions.
  • Inspect crash telemetry for stack frames referencing sec_pkcs7_decoder_start_decrypt or NSS heap allocator abort messages.
  • Correlate process crashes with recent receipt of S/MIME email or rendering of cryptographic web content.

Monitoring Recommendations

  • Monitor for anomalous memory allocation patterns and process crashes in browser and mail client telemetry.
  • Track outbound network connections originating from Firefox or Thunderbird processes after suspect content is processed.
  • Alert on creation of new persistence artifacts immediately following a browser or mail client crash event.

How to Mitigate CVE-2024-11704

Immediate Actions Required

  • Update Firefox to version 133 or later and Firefox ESR to 128.7 or later on all endpoints.
  • Update Thunderbird to version 133 or later, or to 128.7 or later for the ESR branch.
  • Restart browser and mail client processes after patching to ensure the vulnerable NSS library is unloaded.

Patch Information

Mozilla released fixes documented in MFSA-2024-63, MFSA-2024-67, MFSA-2025-09, and MFSA-2025-10. Debian users should apply updates referenced in the Debian LTS Announcement.

Workarounds

  • Disable automatic display of S/MIME encrypted messages in Thunderbird until patches are applied.
  • Restrict delivery of S/MIME messages from untrusted external senders at the mail gateway.
  • Deploy application allowlisting to prevent unpatched Firefox and Thunderbird versions from executing.
bash
# Verify installed versions on Linux
firefox --version
thunderbird --version

# Example apt upgrade on Debian-based systems
sudo apt update
sudo apt install --only-upgrade firefox-esr thunderbird

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne