Memory safety bugs present in Firefox 125. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126. — CVE-2024-4778

Summary

Advisory CVE-2024-4778. Memory safety bugs present in Firefox 125. Some of these bugs showed evidence of memory corruption and we presume that with enough effort… Vendor: Microsoft. Source: MSRC. Threat: critical. CVSS 9.8. See the…

What to do

General, cautious steps (verify details in the official source):

• Prioritize patching or mitigation immediately (treat as actively risky).
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

• GitHub: CVE-2024-32002 Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution CVE-2024-32002
• HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5HG_read in H5HG.c (called from H5VL__native_blob_get in H5VLnative_blob.c) resulting in the corruption of the instruction pointer. CVE-2024-32621
• HDF5 Library through 1.14.3 contains a out-of-bounds read operation in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in H5S.c). CVE-2024-32622
• HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c. CVE-2024-32611
• HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_scaleoffset resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVE-2024-29159
• HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVE-2024-29157
• .NET and Visual Studio Remote Code Execution Vulnerability CVE-2024-30045
• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2023-4133
• ACPI: CPPC: Use access_width over bit_width for system memory accesses CVE-2024-35995
• amd/amdkfd: sync all devices to wait all processes being evicted CVE-2024-36949
• An HTTP digest authentication nonce value was generated using `rand()` which could lead to predictable values. This vulnerability affects Firefox &lt; 126. CVE-2024-4772
• An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. CVE-2024-33394