Single-Character Typo of “&” Instead of “|” Leads to 0-Day RCE in Firefox

A critical Remote Code Execution (RCE) vulnerability in Mozilla Firefox was caused by a single-character typo in the SpiderMonkey JavaScript engine’s WebAssembly garbage collection code, where a developer mistakenly typed “&” (bitwise AND) instead of “|” (bitwise OR).

Security researcher Erge discovered the flaw while examining the Firefox 149 Nightly source code for inspiration for a CTF challenge and successfully exploited it to gain code execution within the Firefox renderer process.

The vulnerability was introduced in commit fcc2f20e35ec during refactoring of WebAssembly GC array metadata in the file js/src/wasm/WasmGcObject.cpp The problematic line read oolHeaderOld->word = uintptr_t(oolHeaderNew) & 1; when it should have been oolHeaderOld->word = uintptr_t(oolHeaderNew) | 1;.

Due to pointer alignment, the bitwise AND operation with 1 always evaluates to 0, causing the code to store zero instead of the intended forwarding pointer with its least significant bit set.

This single-character mistake created a memory-corruption vulnerability by incorrectly tagging out-of-line (OOL) WebAssembly arrays as inline (IL) arrays, causing the garbage collector to mishandle memory references.

Firefox RCE Vulnerability

The bug exists in SpiderMonkey’s WebAssembly GC implementation and specifically affects the WasmArrayObject::obj_moved() function, which is called when the garbage collector moves Wasm arrays between memory locations.

When an OOL array is relocated, the GC must leave a forwarding pointer in the old buffer’s header so Ion (SpiderMonkey’s JIT compiler) can find the data’s new location. The forwarding pointer is distinguished from normal headers by setting its LSB to 1.

The typo caused the forwarding pointer to be set to 0, which inadvertently satisfied the condition for identifying an array as inline in the isDataInline() function: return (headerWord & 1) == 0;.

This vulnerability is only triggerable within WebAssembly functions optimized by Ion, as the mechanism doesn’t exist in the Baseline compiler.

The researcher Erge developed a proof-of-concept exploit that achieved arbitrary read/write primitives and full RCE through the following steps:

1. Triggered a minor garbage collection, causing 0 to be stored in the forwarding pointer
2. Ion’s wasm::Instance::updateFrameForMovingGC function incorrectly identified the array as inline due to the zero forwarding pointer
3. The function returned the old array address instead of the new one, preventing stack frame updates
4. Created a use-after-free (UAF) condition as Ion continued using the freed array memory
5. Performed heap spraying with values like 0x41414141 to reclaim freed memory
6. Achieved arbitrary read/write by controlling the interpreted OOL array base address
7. Bypassed ASLR by spraying objects containing binary-relative pointers
8. Overwrote a vtable to hijack RIP and execute arbitrary system commands

The final exploit successfully spawned a shell (/bin/sh) by calling the system() function.

Disclosure and Patching Timeline

The vulnerability disclosure followed a rapid timeline:

Event	Date
Vulnerability introduced via commit fcc2f20e35ec	January 19, 2026
Independent researcher filed bug 2013739	February 3, 2026 (estimated)
Erge filed bug 2014014 within 72 hours	February 3, 2026
Vulnerability fixed via commit 05ffcde	February 9, 2026
Security bounty granted and split	February 11, 2026

The vulnerability only affected Firefox 149 Nightly builds and never reached any release version, preventing widespread exploitation. Mozilla’s security team responded quickly to patch the flaw, and both security researchers who independently discovered the bug received split bounty rewards.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Single-Character Typo of “&” Instead of “|” Leads to 0-Day RCE in Firefox appeared first on Cyber Security News.