CVE-2024-11704 is a critical memory corruption vulnerability classified as a double-free (CWE-415) in the PKCS#7 decryption process of Mozilla Firefox and Thunderbird. Specifically, the issue occurs in the sec_pkcs7_decoder_start_decrypt() function when an error path leads to the same symmetric key being freed twice. This double-free can corrupt the heap, potentially allowing an attacker to execute arbitrary code, crash the application, or cause denial of service. The vulnerability affects Firefox versions prior to 133, Thunderbird versions prior to 128.7, and Firefox ESR versions prior to 128.7. The flaw can be triggered remotely without requiring any privileges or user interaction, as it involves processing specially crafted PKCS#7 encrypted data. The CVSS v3.1 score is 9.8 (critical), reflecting the vulnerability's high impact on confidentiality, integrity, and availability, combined with its ease of exploitation over the network. No public exploits have been reported yet, but the severity demands urgent attention. The vulnerability arises from improper memory management in the NSS (Network Security Services) library used by Mozilla products for cryptographic operations. This flaw could be exploited by attackers to compromise the security of encrypted communications or execute arbitrary code within the context of the affected application.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Mozilla Firefox and Thunderbird for web browsing and email communications. Exploitation could lead to remote code execution, allowing attackers to gain control over affected systems, steal sensitive data, or disrupt operations through denial of service. Sectors such as government, finance, healthcare, and critical infrastructure that rely heavily on secure communications are particularly vulnerable. The vulnerability undermines the confidentiality and integrity of encrypted data processed by these applications. Additionally, the ease of exploitation without authentication or user interaction increases the threat level. Organizations may face regulatory and compliance risks if breaches occur due to unpatched systems. The potential for widespread impact is high given the popularity of the affected software across Europe.

1. Immediately update Mozilla Firefox, Thunderbird, and Firefox ESR to versions 133, 128.7, or later as soon as official patches are released. 2. Until patches are available, restrict the processing of untrusted PKCS#7 encrypted data, especially from unknown or suspicious sources. 3. Employ network-level protections such as web and email gateways to filter and block malicious payloads containing crafted PKCS#7 data. 4. Monitor application logs and network traffic for anomalies indicative of exploitation attempts targeting PKCS#7 decryption. 5. Use endpoint detection and response (EDR) tools to detect and respond to suspicious memory corruption or code execution behaviors. 6. Educate users about the risks of opening untrusted encrypted email attachments or visiting untrusted websites. 7. Consider deploying application sandboxing or isolation techniques to limit the impact of potential exploitation. 8. Maintain an up-to-date inventory of affected software versions within the organization to prioritize patching efforts.