Mozilla Foundation Security Advisory 2024-52

Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0

Announced
October 10, 2024
Impact
critical
Products
Thunderbird
Fixed in
  • Thunderbird 115.16
  • Thunderbird 128.3.1
  • Thunderbird 131.0.1

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2024-9680: Use-after-free in Animation timeline

Reporter
Damien Schaeffer from ESET
Impact
critical
Description

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.

References