The Tor Project recently deployed an emergency patch following the discovery of a serious security vulnerability being exploited against its users.
This flaw, identified as CVE-2024-9680, allows attackers to inject malicious code into the browser’s content process, where web content is loaded. A researcher from cybersecurity firm ESET initially uncovered this vulnerability, which received its first fix in the Mozilla Firefox browser last week.
In a public statement, Tor confirmed that the flaw had been actively exploited in attacks against Tor Browser users. Mozilla also acknowledged this exploitation in the wild.
“While this vulnerability could give attackers control of the Tor Browser, it’s unlikely they can use it to reveal your identity in Tails,” said the statement released by Tor.
Tails is a privacy-centered operating system that operates from a USB drive or DVD, ensuring no data is left on the host device. It ensures anonymity by routing all traffic through Tor, and it offers tools like encrypted messaging, email anonymization, and disk encryption.
CVE-2024-9680 is described as a “use-after-free” vulnerability. This type of memory corruption bug occurs when software attempts to access memory space that was already released, often resulting in potential system takeover.
What makes this exploit especially dangerous is its ease of use—it requires no user interaction, can be launched remotely, and is rated to have low complexity. The issue received a CVSS critical score of 9.8/10.
Tor and Mozilla strongly recommend users update their browsers immediately to ensure protection against this flaw.