What happened
A critical remote code execution vulnerability in Mozilla Firefox was discovered in the SpiderMonkey JavaScript engine due to a single-character typo where a developer used the bitwise AND operator (“&”) instead of OR (“|”) in WebAssembly garbage collection code. The flaw, discovered by security researcher Erge, caused memory corruption by incorrectly tagging relocated arrays, creating a use-after-free condition that allowed arbitrary read/write access and execution of system commands. The vulnerability affected Firefox 149 Nightly builds, where the researcher demonstrated full exploitation by spawning a shell, but it was fixed quickly after disclosure and never reached stable release versions.
Who is affected
Users running vulnerable Mozilla Firefox Nightly builds, specifically Firefox 149 Nightly, were affected, though the flaw did not impact stable release versions after being patched by Mozilla.
Why CISOs should care
The vulnerability demonstrates how low-level memory handling flaws in browser engines can enable arbitrary code execution, highlighting risks associated with widely deployed software used across enterprise environments.
3 practical actions
- Update Firefox Nightly builds immediately. Ensure all systems use patched versions that include Mozilla’s security fix.
- Restrict use of unstable browser builds. Limit Nightly or experimental browser versions in enterprise environments.
- Monitor systems for exploitation indicators. Review endpoint activity for signs of abnormal browser behavior or unauthorized code execution.