A memory corruption flaw in Firefox's WebAssembly engine went undetected for half a year, enabling potential arbitrary code execution across over 180 million devices.
Security researchers at AISLE uncovered CVE-2025-13016, a high-severity stack buffer overflow vulnerability in Mozilla Firefox's handling of WebAssembly arrays. The flaw, introduced in April 2025, stemmed from a subtle pointer arithmetic error that bypassed code review, automated tests, and shipped unnoticed in Firefox versions 143 through early 145 and Firefox ESR versions prior to 140.5. Despite a regression test being included alongside the vulnerable code, the issue escaped detection until AISLE flagged it in October.
The vulnerability originates from a single misused line in the StableWasmArrayObjectElements template class, where a std::copy operation misinterprets pointer types. Specifically, the copy operation incorrectly mixes uint8_t* and uint16_t* pointers, causing the number of copied elements to be miscalculated when the template type is larger than a byte. This led to overwriting memory beyond the bounds of a stack-allocated buffer, opening a pathway for attackers to execute arbitrary code.
To make matters worse, the copy operation sourced data from an incorrect location. The method used, inlineStorage(), pointed to a region that began with metadata rather than raw array elements. This meant the first 8 bytes written were control headers, further corrupting memory. The bug was located in the js/src/wasm/WasmGcObject.h file and triggered during WebAssembly garbage collection when converting character arrays to strings, particularly under memory pressure conditions that forced fallback memory allocations.
Mozilla Firefox is a widely used open-source browser with a global user base exceeding 180 million monthly active users. Its WebAssembly (Wasm) engine allows near-native performance for web applications and has become a vital component of modern web computing.
This vulnerable fallback path could be abused in real-world attack scenarios by coercing Firefox into triggering garbage collection while handling specially crafted WebAssembly arrays. Under memory pressure, a condition attackers can artificially create in modern browsers, the engine falls back to the flawed copy mechanism, creating a reliable opportunity to corrupt memory. In a practical exploit chain, this overflow could be used as a stepping stone for sandbox escape or remote code execution, particularly in targeted attacks against high-value users or systems running unpatched Firefox versions.
Mozilla responded rapidly once the issue was reported. The vulnerability was identified on October 2, triaged and confirmed by October 14, and patched the following day by Yury Delendik. The fix involved replacing the incorrect pointer logic with a safer approach using a newly introduced helper, inlineArrayElements(), ensuring proper typing and correct offsets. This change prevented overflows and avoided copying metadata by accessing the actual data segment directly.
Mozilla's internal memory sanitizers confirmed the overflow post-disclosure, demonstrating the vulnerability's real-world exploitability.
Users are strongly advised to upgrade to Firefox 145 or Firefox ESR 140.5 or later, as earlier versions remain vulnerable.
Leave a Reply