Threat actors are exploiting flaw CVE—2024—9680 to run code if a user visits a malicious website. It should not be a problem for those who have their Red Panda browser settings set to “auto-update” but some administrators disable that sort of thing.

The flaw is a use-after-free issue in animation timelines, a dynamic memory problem. Kaspersky explains that if a memory location is freed but not cleared, an attacker can exploit it.

Mozilla hasn't shared details about the exploit, and it is unclear how widespread it was. There have been few reports, maybe because more admins have auto-updates than expected.

Applications are expected to have use-after-free vulnerabilities. In 2023, these vulnerabilities topped the US Cybersecurity and Infrastructure Security Agency’s catalogue of known exploited vulnerabilities, while MITRE’s broader list places them fourth.