cbcvebase.
CVE-2020-26950
published 2020-12-09

CVE-2020-26950: In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This…

PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
42.60%
98.5th percentile
In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 82.0.3-1 (sid)firefox 82.0.3-1 (sid)
debianfirefox-esr< firefox 82.0.3-1 (sid)firefox 82.0.3-1 (sid)
debianthunderbird< firefox 82.0.3-1 (sid)firefox 82.0.3-1 (sid)
mozillafirefox< 82.0.382.0.3
mozillafirefox
mozillafirefox_esr< 78.4.178.4.1
mozillathunderbird< 78.4.278.4.2
mozillathunderbird>= 0 < 1:78.4.2-11:78.4.2-1
mozillathunderbird>= 0 < 1:78.4.2-11:78.4.2-1
mozillathunderbird>= 0 < 1:78.4.2-11:78.4.2-1
mozillathunderbird>= 0 < 1:78.4.2-11:78.4.2-1

Detection & IOCsextracted from sources · hover to see the quote

commandMOZ_DISABLE_CONTENT_SANDBOX
versionFirefox < 82.0.3
versionFirefox ESR < 78.4.1
versionThunderbird < 78.4.2
  • Exploit technique involves spraying ArgumentsData structures to construct read/write/addrof primitives — unusual high-volume allocation of arguments objects in JIT-compiled functions may indicate exploitation.
  • Shellcode is embedded as floating-point constants in a JIT-sprayed function; the marker constant 0x41414141 (5.40900888e-315) is used to locate the shellcode start in the RX region — scan JIT memory regions for this byte pattern.
  • Code execution is achieved by overwriting the JSFunction.u.native.extra.jitInfo_ pointer (at offset +0x30 from the function object) to redirect execution to attacker-controlled JIT-sprayed shellcode constants.
  • Exploit requires Firefox to be launched with MOZ_DISABLE_CONTENT_SANDBOX set; detection of this environment variable in Firefox process launch arguments is a strong indicator of sandbox-disabled exploitation.
  • Metasploit module 'exploits/multi/browser/firefox_jit_use_after_free' targets Firefox <= 79; detection of this module's network traffic or process behavior can identify active exploitation attempts.
  • ·The exploit does NOT include a sandbox escape; it only works when the Firefox content sandbox is disabled via MOZ_DISABLE_CONTENT_SANDBOX. Sandboxed Firefox instances are not directly exploitable by this PoC.
  • ·The vulnerable IonMonkey JIT engine was deprecated within a month of the vulnerability's discovery in favour of WarpMonkey, limiting the affected version window to Firefox <= 82.0.2 / ESR <= 78.4.0 / Thunderbird <= 78.4.1.
  • ·The Metasploit module only supports Firefox <= 79 as a tested target; additional engineering effort is required to reliably exploit Firefox 82.0.x builds.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.