CVE-2024-3302

Summary

There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 125affected
MozillaFirefox ESRunspecified < 115.10affected
MozillaThunderbirdunspecified < 115.10affected

Weaknesses

  • Denial of Service using HTTP/2 CONTINUATION frames

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References