By rssfeeds-admin 
Security researcher Erge discovered the flaw while examining the Firefox 149 Nightly source code for inspiration for a CTF challenge and successfully exploited it to gain code execution within the Firefox renderer process.
The vulnerability was introduced in commit fcc2f20e35ec during refactoring of WebAssembly GC array metadata in the file js/src/wasm/WasmGcObject.cpp The problematic line read oolHeaderOld->word = uintptr_t(oolHeaderNew) & 1; when it should have been oolHeaderOld->word = uintptr_t(oolHeaderNew) | 1;.
Due to pointer alignment, the bitwise AND operation with 1 always evaluates to 0, causing the code to store zero instead of the intended forwarding pointer with its least significant bit set.
This single-character mistake created a memory-corruption vulnerability by incorrectly tagging out-of-line (OOL) WebAssembly arrays as inline (IL) arrays, causing the garbage collector to mishandle memory references.
Firefox RCE Vulnerability
The bug exists in SpiderMonkey’s WebAssembly GC implementation and specifically affects the WasmArrayObject::obj_moved() function, which is called when the garbage collector moves Wasm arrays between memory locations.
When an OOL array is relocated, the GC must leave a forwarding pointer in the old buffer’s header so Ion (SpiderMonkey’s JIT compiler) can find the data’s new location. The forwarding pointer is distinguished from normal headers by setting its LSB to 1.
The typo caused the forwarding pointer to be set to 0, which inadvertently satisfied the condition for identifying an array as inline in the isDataInline() function: return (headerWord & 1) == 0;.
This vulnerability is only triggerable within WebAssembly functions optimized by Ion, as the mechanism doesn’t exist in the Baseline compiler.
The researcher Erge developed a proof-of-concept exploit that achieved arbitrary read/write primitives and full RCE through the following steps:
- Triggered a minor garbage collection, causing 0 to be stored in the forwarding pointer
- Ion’s
wasm::Instance::updateFrameForMovingGCfunction incorrectly identified the array as inline due to the zero forwarding pointer - The function returned the old array address instead of the new one, preventing stack frame updates
- Created a use-after-free (UAF) condition as Ion continued using the freed array memory
- Performed heap spraying with values like
0x41414141to reclaim freed memory - Achieved arbitrary read/write by controlling the interpreted OOL array base address
- Bypassed ASLR by spraying objects containing binary-relative pointers
- Overwrote a vtable to hijack RIP and execute arbitrary system commands
The final exploit successfully spawned a shell (/bin/sh) by calling the system() function.
Disclosure and Patching Timeline
The vulnerability disclosure followed a rapid timeline:
| Event | Date |
|---|---|
| Vulnerability introduced via commit fcc2f20e35ec | January 19, 2026 |
| Independent researcher filed bug 2013739 | February 3, 2026 (estimated) |
| Erge filed bug 2014014 within 72 hours | February 3, 2026 |
| Vulnerability fixed via commit 05ffcde | February 9, 2026 |
| Security bounty granted and split | February 11, 2026 |
The vulnerability only affected Firefox 149 Nightly builds and never reached any release version, preventing widespread exploitation. Mozilla’s security team responded quickly to patch the flaw, and both security researchers who independently discovered the bug received split bounty rewards.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Single-Character Typo of “&” Instead of “|” Leads to 0-Day RCE in Firefox appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.