Critical Firefox Zero-Day Vulnerability Stems from Single-Character Typo
A critical Remote Code Execution (RCE) vulnerability in Mozilla Firefox was recently identified, originating from a single-character typographical error in the SpiderMonkey JavaScript engine’s WebAssembly garbage collection code. This flaw, introduced on January 19, 2026, was discovered by security researcher Erge while examining the Firefox 149 Nightly source code.
The Typographical Error
The vulnerability was introduced during a refactoring process in the WebAssembly garbage collection (GC) array metadata. Specifically, a developer mistakenly used the bitwise AND operator (`&`) instead of the intended bitwise OR operator (`|`) in the following line of code:
“`cpp
oolHeaderOld->word = uintptr_t(oolHeaderNew) & 1;
“`
The correct implementation should have been:
“`cpp
oolHeaderOld->word = uintptr_t(oolHeaderNew) | 1;
“`
This subtle error led to the storage of zero instead of the intended forwarding pointer with its least significant bit set. As a result, the garbage collector misidentified out-of-line (OOL) WebAssembly arrays as inline (IL) arrays, leading to improper memory handling and potential memory corruption.
Technical Implications
The flaw resides in SpiderMonkey’s WebAssembly GC implementation, particularly affecting the `WasmArrayObject::obj_moved()` function. This function is invoked when the garbage collector relocates WebAssembly arrays in memory. Due to the typo, the forwarding pointer was incorrectly set to zero, causing the `isDataInline()` function to misinterpret the array type:
“`cpp
return (headerWord & 1) == 0;
“`
This misinterpretation led to the garbage collector mishandling memory references, creating a use-after-free (UAF) condition. Such conditions can be exploited by attackers to achieve arbitrary code execution within the Firefox renderer process.
Exploitation Process
Erge developed a proof-of-concept exploit demonstrating the vulnerability’s potential impact. The exploitation process involved:
1. Triggering a minor garbage collection to store zero in the forwarding pointer.
2. The Just-In-Time (JIT) compiler’s `wasm::Instance::updateFrameForMovingGC` function misidentifying the array as inline due to the zero forwarding pointer.
3. The function returning the old array address instead of the new one, preventing stack frame updates.
4. Creating a use-after-free condition as the JIT compiler continued using the freed array memory.
5. Performing heap spraying with specific values to reclaim freed memory.
6. Achieving arbitrary read/write capabilities by controlling the interpreted OOL array base address.
7. Bypassing Address Space Layout Randomization (ASLR) by spraying objects containing binary-relative pointers.
8. Overwriting a virtual table (vtable) to hijack the instruction pointer and execute arbitrary system commands.
The final exploit successfully spawned a shell (`/bin/sh`) by invoking the system() function, demonstrating the severity of the vulnerability.
Disclosure and Patching Timeline
The vulnerability disclosure and patching process unfolded as follows:
– January 19, 2026: Vulnerability introduced via commit fcc2f20e35ec.
– February 3, 2026: An independent researcher filed bug 2013739.
– February 3, 2026: Erge filed bug 2014014 within 72 hours of the independent report.
– February 9, 2026: Vulnerability fixed via commit 05ffcde.
– February 11, 2026: Security bounty granted and split between both researchers.
Notably, the vulnerability only affected Firefox 149 Nightly builds and did not reach any stable release versions, preventing widespread exploitation. Mozilla’s security team responded promptly to patch the flaw, and both researchers received recognition and rewards for their contributions.
Recommendations for Users
While this specific vulnerability did not impact stable releases, it underscores the importance of regular software updates and vigilance in code review processes. Users are advised to:
– Keep Software Updated: Regularly update browsers and other software to the latest versions to benefit from security patches.
– Participate in Beta Testing: Engage with beta or nightly builds to help identify and report potential issues before they reach stable releases.
– Report Anomalies: Promptly report any unusual behavior or potential vulnerabilities to the software maintainers.
By staying proactive and informed, users can contribute to a more secure software ecosystem and mitigate the risks associated with such vulnerabilities.
