Search for vulnerabilities
Vulnerability details: VCID-zbyj-zuwa-e7hn
Vulnerability ID VCID-zbyj-zuwa-e7hn
Aliases CVE-2024-7531
Summary Calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-319 Cleartext Transmission of Sensitive Information
System Score Found at
cvssv3 3.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-7531.json
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
cvssv3.1 6.3 https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
ssvc Track https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
cvssv3.1 4.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2024-7531
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2024-33
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2024-34
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2024-35
cvssv3.1 6.3 https://www.mozilla.org/security/advisories/mfsa2024-33/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2024-33/
cvssv3.1 6.3 https://www.mozilla.org/security/advisories/mfsa2024-34/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2024-34/
cvssv3.1 6.3 https://www.mozilla.org/security/advisories/mfsa2024-35/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2024-35/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-7531.json
https://api.first.org/data/v1/epss?cve=CVE-2024-7531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7519
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7524
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7525
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7526
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7531
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2303148 https://bugzilla.redhat.com/show_bug.cgi?id=2303148
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:*
CVE-2024-7531 https://nvd.nist.gov/vuln/detail/CVE-2024-7531
mfsa2024-33 https://www.mozilla.org/en-US/security/advisories/mfsa2024-33
mfsa2024-33 https://www.mozilla.org/security/advisories/mfsa2024-33/
mfsa2024-34 https://www.mozilla.org/en-US/security/advisories/mfsa2024-34
mfsa2024-34 https://www.mozilla.org/security/advisories/mfsa2024-34/
mfsa2024-35 https://www.mozilla.org/en-US/security/advisories/mfsa2024-35
mfsa2024-35 https://www.mozilla.org/security/advisories/mfsa2024-35/
RHSA-2024:6839 https://access.redhat.com/errata/RHSA-2024:6839
show_bug.cgi?id=1905691 https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
USN-6966-1 https://usn.ubuntu.com/6966-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-7531.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-16T16:06:38Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-7531
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://www.mozilla.org/security/advisories/mfsa2024-33/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-16T16:06:38Z/ Found at https://www.mozilla.org/security/advisories/mfsa2024-33/
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://www.mozilla.org/security/advisories/mfsa2024-34/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-16T16:06:38Z/ Found at https://www.mozilla.org/security/advisories/mfsa2024-34/
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://www.mozilla.org/security/advisories/mfsa2024-35/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-16T16:06:38Z/ Found at https://www.mozilla.org/security/advisories/mfsa2024-35/
Exploit Prediction Scoring System (EPSS)
Percentile 0.32049
EPSS Score 0.00121
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:09:04.589663+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2024/mfsa2024-34.yml 37.0.0