CVE-2006-0293
Description
The function allocation code (js_NewFunction in jsfun.c) in Firefox 1.5 allows attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via user-defined methods that trigger garbage collection in a way that operates on freed objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"Missing ordering of allocations in js_NewFunction allows garbage collection to operate on freed objects."
Attack vector
An attacker can trigger memory corruption by invoking user-defined methods that cause garbage collection to run while the engine is still operating on freed objects [ref_id=1]. The attack is network-based: a malicious web page can call crafted JavaScript methods that exploit the allocation ordering flaw. No authentication is required; the victim only needs to visit the attacker's page. The advisory notes that disabling JavaScript in the browser is impractical for most users [ref_id=1].
Affected code
The vulnerability resides in the function allocation code (`js_NewFunction` in `jsfun.c`) in Firefox 1.5. The patch reorders allocations to avoid a 'pigeon-hole problem' where garbage collection could operate on freed objects during user-defined method creation [ref_id=1].
What the fix does
The patch reorders allocations in `jsfun.c` to ensure that objects are fully initialized before they become visible to the garbage collector [ref_id=1]. This prevents the 'pigeon-hole problem' where a GC cycle could free an object that the allocation code still holds a pointer to. The fix was checked into the trunk on 2006-01-02 and subsequently landed on the 1.8 and 1.8.0 branches [ref_id=1].
Preconditions
- networkThe victim must visit a web page that executes attacker-controlled JavaScript.
- inputThe attacker's JavaScript must define methods that trigger garbage collection during function allocation.
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
27- bugzilla.mozilla.org/show_bug.cginvdPatch
- secunia.com/advisories/18700nvd
- secunia.com/advisories/18704nvd
- secunia.com/advisories/19862nvd
- secunia.com/advisories/19863nvd
- secunia.com/advisories/19902nvd
- secunia.com/advisories/19941nvd
- secunia.com/advisories/21622nvd
- secunia.com/advisories/22065nvd
- securitytracker.com/idnvd
- sunsolve.sun.com/search/document.donvd
- sunsolve.sun.com/search/document.donvd
- support.avaya.com/elmodocs2/security/ASA-2006-205.htmnvd
- www.debian.org/security/2006/dsa-1044nvd
- www.debian.org/security/2006/dsa-1046nvd
- www.debian.org/security/2006/dsa-1051nvd
- www.gentoo.org/security/en/glsa/glsa-200604-18.xmlnvd
- www.mozilla.org/security/announce/2006/mfsa2006-01.htmlnvd
- www.securityfocus.com/archive/1/438730/100/0/threadednvd
- www.securityfocus.com/archive/1/446657/100/200/threadednvd
- www.securityfocus.com/bid/16476nvd
- www.vupen.com/english/advisories/2006/0413nvd
- www.vupen.com/english/advisories/2006/3391nvd
- www.vupen.com/english/advisories/2006/3749nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/24430nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/42654nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1494nvd
News mentions
0No linked articles in our index yet.