Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
Conclusion & alert: CVE-2024-9401 is rated Moderate Risk (57.1/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.74%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.22% | 0.74% | +0.52% |
| 2 | 2025-11-21 | 1.06% | 0.22% | -0.84% |
| 3 | 2025-11-18 | — | 1.06% | — |
Full EPSS history (18 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2024-9401: 3 source package rows (firefox, firefox-esr, thunderbird); 334 state rows across 3 repos (3.20-community, 3.22-community, edge-community); fixed 0, open 334. | https://security.alpinelinux.org/vuln/CVE-2024-9401 |
debian
|
not yet assigned | CVE-2024-9401 not yet assigned priority: Debian including 3 source packages (firefox, firefox-esr, thunderbird), 11 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 11. | https://security-tracker.debian.org/tracker/CVE-2024-9401 |
gentoo
|
high | CVE-2024-9401: 3 GLSA(s) (202412-04, 202412-06, 202505-08), 5 atom(s) (dev-lang/spidermonkey, mail-client/thunderbird, mail-client/thunderbird-bin, www-client/firefox, www-client/firefox-bin); latest impact high. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2024-9401 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2024-9401 |
suse
|
high | CVE-2024-9401 severity important: SUSE including 40 source package names (MozillaFirefox-128.3.1-112.231.1, MozillaFirefox-128.3.1-150200.152.155.1, …), 156 product×package rows across 52 product lines (Container suse/kiosk/firefox-esr, Image SLES12-SP5-SAP-Azure-LI-BYOS-Production, … (52 product lines)): Fixed 156. | https://www.suse.com/security/cve/CVE-2024-9401/ |
ubuntu
|
medium | CVE-2024-9401 medium priority: Ubuntu including 9 source packages (firefox, mozjs102, …), 65 status rows across 8 suites (bionic, focal, jammy, noble, oracular, plucky, questing, upstream): DNE 33, needs-triage 10, ignored 9, not-affected 9, released 4. | https://ubuntu.com/security/CVE-2024-9401 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| mozilla | firefox | < 115.16.0 | cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* |
| mozilla | firefox | < 131.0 | cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* |
| mozilla | firefox | >= 116.0, < 128.3.0 | cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* |
| mozilla | thunderbird | < 128.3.0 | cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* |
| mozilla | thunderbird | >= 129.0, < 131.0 | cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://bugzilla.mozilla.org/buglist.cgi?bug_id=1872744%2C1897792%2C1911317%2C1916476 | Issue Tracking |
| https://www.mozilla.org/security/advisories/mfsa2024-46/ | Vendor Advisory |
| https://www.mozilla.org/security/advisories/mfsa2024-47/ | Vendor Advisory |
| https://www.mozilla.org/security/advisories/mfsa2024-48/ | Vendor Advisory |
| https://www.mozilla.org/security/advisories/mfsa2024-49/ | Vendor Advisory |
| https://www.mozilla.org/security/advisories/mfsa2024-50/ | Vendor Advisory |
| https://lists.debian.org/debian-lts-announce/2024/10/msg00006.html |