cbcvebase.
CVE-2019-17026
published 2020-03-02

CVE-2019-17026: Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild…

PriorityP184high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
46.59%
98.7th percentile
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1.

Affected

17 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
debianfirefox< firefox 72.0.1-1 (sid)firefox 72.0.1-1 (sid)
debianfirefox-esr< firefox 72.0.1-1 (sid)firefox 72.0.1-1 (sid)
debianthunderbird< firefox 72.0.1-1 (sid)firefox 72.0.1-1 (sid)
mozillafirefox< 68.4.168.4.1
mozillafirefox< 72.0.172.0.1
mozillafirefox
mozillafirefox>= unspecified < 72.0.172.0.1
mozillafirefox_esr>= unspecified < 68.4.168.4.1
mozillathunderbird< 68.4.168.4.1
mozillathunderbird>= 0 < 1:68.4.1-11:68.4.1-1
mozillathunderbird>= 0 < 1:68.4.1-11:68.4.1-1
mozillathunderbird>= 0 < 1:68.4.1-11:68.4.1-1
mozillathunderbird>= 0 < 1:68.4.1-11:68.4.1-1
mozillathunderbird>= 0 < 1:68.7.0+build1-0ubuntu0.16.04.21:68.7.0+build1-0ubuntu0.16.04.2
mozillathunderbird>= 0 < 1:68.4.1+build1-0ubuntu0.18.04.11:68.4.1+build1-0ubuntu0.18.04.1
mozillathunderbird>= unspecified < 68.4.168.4.1

Detection & IOCsextracted from sources · hover to see the quote

versionFirefox < 72.0.1
versionFirefox ESR < 68.4.1
versionThunderbird < 68.4.1
  • CVE-2019-17026 is exploited via a type confusion in IonMonkey JIT compiler for setting array elements; detect suspicious Firefox/Thunderbird processes spawning child processes or executing shellcode via ROP chains, particularly on Windows 10 x64 systems.
  • CVE-2019-17026 is a type confusion vulnerability allowing an attacker to write data to or from memory locations that are normally closed off; monitor Firefox content process memory for anomalous array element type coercions in JIT-compiled code.
  • Exploit technique for CVE-2019-17026 involves heap grooming to line up ArrayBuffers in memory and corrupting ArrayBuffer length to achieve OOB read/write primitives; monitor for anomalous heap layout manipulation in Firefox content processes.
  • CVE-2019-17026 exploitation was observed in the wild as a zero-day; treat any unpatched Firefox/Thunderbird instance below the fixed versions as actively targeted.
  • ·Hardware Enhanced Exploit Detection for ROP chains (as used in CVE-2019-17026 exploitation) requires Intel CPU 6th generation or newer running Windows 10 RS4 or later; older hardware will not benefit from this detection capability.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.