cbcvebase.
CVE-2019-9813
published 2019-04-26

CVE-2019-9813: Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This…

PriorityP357high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.39%
93.7th percentile
Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 66.0.1-1 (sid)firefox 66.0.1-1 (sid)
debianfirefox-esr< firefox 66.0.1-1 (sid)firefox 66.0.1-1 (sid)
mozillafirefox< 60.6.160.6.1
mozillafirefox< 66.0.166.0.1
mozillafirefox>= unspecified < 66.0.166.0.1
mozillafirefox_esr>= unspecified < 60.6.160.6.1
mozillathunderbird< 60.6.160.6.1
mozillathunderbird>= 0 < 1:60.6.1+build2-0ubuntu0.14.04.11:60.6.1+build2-0ubuntu0.14.04.1
mozillathunderbird>= 0 < 1:60.6.1+build2-0ubuntu0.16.04.11:60.6.1+build2-0ubuntu0.16.04.1
mozillathunderbird>= 0 < 1:60.6.1+build2-0ubuntu0.18.04.11:60.6.1+build2-0ubuntu0.18.04.1
mozillathunderbird>= unspecified < 60.6.160.6.1

Detection & IOCsextracted from sources · hover to see the quote

commandfunction hax(o, changeProto) { if (changeProto) { o.p = 42; o.__proto__ = {}; } o.p = 13.37; return o; }
commandlet y = {slots: 13.37, elements: 13.38, buffer: ab, length: 13.39, byteOffset: 13.40, data: 3.54484805889626e-310};
  • Look for JavaScript triggering __proto__ reassignment inside a JIT-compiled function that also performs repeated property writes to the same property (e.g. `o.p = <int>; o.__proto__ = {}; o.p = <float>;`). This pattern is the core trigger for the IonMonkey type confusion.
  • Detect exploit attempts that construct a fake Uint8Array-shaped plain object with controlled float slot values (e.g. slots: 13.37, elements: 13.38, data: 3.54484805889626e-310) to overlap internal Uint8Array fields for arbitrary memory read/write.
  • The vulnerability is exploitable in browser and browser-like contexts via a specially crafted website. Monitor for Firefox/Thunderbird versions below the fixed thresholds: Firefox < 66.0.1, Firefox ESR < 60.6.1, Thunderbird < 60.6.1.
  • In debug SpiderMonkey builds, the exploit triggers a crash with assertion: 'Missing type in object ... p: float' at js/src/vm/TypeInference.cpp:265. This assertion message can be used as a signature in crash telemetry or fuzzing harnesses.
  • ·Thunderbird is generally not exploitable via email because scripting is disabled when reading mail; exploitation risk is limited to browser or browser-like contexts.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.