PT-2024-5756 · Mozilla+7 · Firefox Esr+8
Lars Eggert
·
Published
2024-08-06
·
Updated
2025-08-12
·
CVE-2024-7531
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Firefox versions prior to 129
Firefox ESR versions prior to 115.14
Firefox ESR versions prior to 128.1
Description
The issue is related to a buffer overflow in the CKM CHACHA20 font set of Mozilla Firefox and Firefox ESR browsers. This can be exploited by a remote attacker to access protected information by calling the
PK11 Encrypt() function. In Firefox, this vulnerability affects the QUIC header protection feature when using the ChaCha20-Poly1305 cipher suite, potentially leading to connection failure or allowing a network observer to identify packets from the same source despite network path changes.Recommendations
For Firefox versions prior to 129, update to version 129 or later to resolve the issue.
For Firefox ESR versions prior to 115.14, update to version 115.14 or later to resolve the issue.
For Firefox ESR versions prior to 128.1, update to version 128.1 or later to resolve the issue.
As a temporary workaround, consider avoiding the use of the ChaCha20-Poly1305 cipher suite in QUIC connections until a patch is applied.
Fix
Missing Encryption of Sensitive Data
Time Of Check To Time Of Use
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Debian
Firefox
Firefox Esr
Linuxmint
Red Os
Suse
Ubuntu