CVE-2024-11705

Summary

NSC_DeriveKey inadvertently assumed that the phKey parameter is always non-NULL. When it was passed as NULL, a segmentation fault (SEGV) occurred, leading to crashes. This behavior conflicted with the PKCS#11 v3.0 specification, which allows phKey to be NULL for certain mechanisms. This vulnerability affects Firefox < 133 and Thunderbird < 133.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 133affected
MozillaThunderbirdunspecified < 133affected

Weaknesses

  • Null Pointer Dereference in NSC_DeriveKey

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References