Lars Eggert

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 129 Firefox ESR versions prior to 115.14 Firefox ESR versions prior to 128.1 **Description** The issue is related to a buffer overflow in the CKM CHACHA20 font set of Mozilla Firefox and Firefox ESR browsers. This can be exploited by a remote attacker to access protected information by calling the `PK11 Encrypt()` function. In Firefox, this vulnerability affects the QUIC header protection feature when using the ChaCha20-Poly1305 cipher suite, potentially leading to connection failure or allowing a network observer to identify packets from the same source despite network path changes. **Recommendations** For Firefox versions prior to 129, update to version 129 or later to resolve the issue. For Firefox ESR versions prior to 115.14, update to version 115.14 or later to resolve the issue. For Firefox ESR versions prior to 128.1, update to version 128.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the ChaCha20-Poly1305 cipher suite in QUIC connections until a patch is applied.