Unrated severityNVD Advisory· Published Mar 25, 2010· Updated Apr 29, 2026

CVE-2010-0166

Description

The gfxTextRun::SanitizeGlyphRuns function in gfx/thebes/src/gfxFont.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 on Mac OS X, when the Core Text API is used, does not properly perform certain deletions, which allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via an HTML document containing invisible Unicode characters, as demonstrated by the U+FEFF, U+FFF9, U+FFFA, and U+FFFB characters.

Affected products

Mozilla Corporation/Firefox
cpe:2.3:a:mozilla:firefox:3.6:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.mozilla.org/security/announce/2010/mfsa2010-11.htmlnvdVendor Advisory
www.securityfocus.com/bid/38918nvd
www.securityfocus.com/bid/38943nvd
www.vupen.com/english/advisories/2010/0692nvd
bugzilla.mozilla.org/show_bug.cginvd
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14182nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.021
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000