CVE-2016-1944

Vulnerability

The vulnerability is in the Buffer11::NativeBuffer11::map function in the ANGLE graphics library used by Mozilla Firefox before version 44.0. The function calls ID3D11DeviceContext::Map without checking the return code in release builds. On failure, the mappedResource variable remains uninitialized (it is an automatic D3D11_MAPPED_SUBRESOURCE with no constructor), and the function returns the uninitialized pData pointer to callers. This results in a wild pointer being used for read/write operations [1][3].

Exploitation

An attacker can trigger this vulnerability by enticing a user to view a specially crafted web page or email that causes the ANGLE library to invoke the vulnerable code path. The attacker does not need authentication; the attack is remote. The exact sequence involves causing the ID3D11DeviceContext::Map call to fail, leading to the use of the wild pointer. The Mozilla advisory notes that the mechanism to exploit this through web content is not entirely clear but is possible if a trigger can be found [2][3].

Impact

Successful exploitation could lead to memory corruption, potentially allowing arbitrary code execution or denial of service. The impact is rated critical (CVSS 9.8) because it could be triggered remotely without user interaction beyond normal browsing. The attacker could gain the ability to read or write arbitrary memory, leading to full compromise of the browser [3].

Mitigation

The vulnerability is fixed in Firefox 44, released on January 26, 2016 [3]. Users should upgrade to Firefox 44 or later. For Gentoo Linux, the fix is included in www-client/firefox-38.7.0 and later [2]. No workaround is available; upgrading is the only mitigation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.