CVE-2023-29537
Description
Multiple race conditions in the font initialization could have led to memory corruption and execution of attacker-controlled code. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple race conditions in Firefox font initialization could lead to memory corruption and arbitrary code execution, fixed in Firefox 112.
Vulnerability
Multiple race conditions exist in the font initialization code of Firefox, Firefox for Android, and Focus for Android prior to version 112. Specifically, a race condition in MakeGlyphAtlas() within gfxFontMissingGlyphs.cpp (bug 1823365 [1]) and additional data races in the fontconfig/FreeType backend (bug 1824200 [2]) and the Android FT2 font backend (bug 1825569 [4]) allow multiple threads to concurrently access and modify static or shared font resources. An attacker can trigger these races by crafting HTML/JavaScript that calls font rendering functions from web workers, causing a use-after-free or memory corruption when two threads pass the null check on the same variable and subsequently perform unsynchronized assignments.
Exploitation
An attacker needs to deliver a specifically crafted HTML file that triggers the race condition, typically by using JavaScript to call fillText() with certain Unicode characters from a web worker. The attack requires no authentication or special privileges; a victim merely visiting a malicious webpage suffices. By exploiting the race window, an attacker can cause a use-after-free in the MakeGlyphAtlas() function, where one thread frees a SourceSurface object while the other thread continues to use it [1]. The data races in the font backends [2][4] similarly allow concurrent read/write operations on shared FreeType faces, potentially leading to memory corruption.
Impact
Successful exploitation can lead to memory corruption and arbitrary code execution within the content process, with high severity as rated by Mozilla [3]. The attacker gains the ability to execute attacker-controlled code, potentially leading to full compromise of the browser sandbox, access to sensitive data, or further system compromise.
Mitigation
The vulnerabilities are fixed in Firefox 112, Firefox for Android 112, and Focus for Android 112, released on April 11, 2023 [3]. Users should update their browsers to the latest version. No workarounds are provided; updating is the only mitigation. The fixes involve proper synchronization (atomics, locking) in the affected code paths [1][2][4].
- 1823365 - (CVE-2023-29537) initialization race leading to use after free in MakeGlyphAtlas()
- 1824200 - [tsan] data race initializing the SharedFTFace in gfxFontconfigFontEntry::GetFTFace
- Security Vulnerabilities fixed in Firefox 112, Firefox for Android 112, Focus for Android 112
- 1825569 - [tsan] data races in Android font backend (FT2FontEntry)
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 112.0.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing synchronization on `mFTFace`, `mFTFaceInitialized`, and `UnscaledFontCache` members in `gfxFontconfigFontEntry` allows concurrent threads to race during font initialization."
Attack vector
An attacker triggers the bug by causing concurrent font initialization from multiple threads — for example, by using `OffscreenCanvasRenderingContext2D.fillText()` in a way that races font lookups [ref_id=1]. Two threads calling `GetFTFace()` or `HasVariations()` on the same not-yet-initialized font entry simultaneously produce a data race on the `SharedFTFace` pointer and the `mFTFaceInitialized` flag [ref_id=1]. The advisory notes that "it's unclear how they could be exploited" but the races could lead to memory corruption and execution of attacker-controlled code [ref_id=1].
Affected code
The race conditions are in `gfxFontconfigFontEntry::GetFTFace()` and `gfxFontconfigFontEntry::HasVariations()` within `gfx/thebes/gfxFcPlatformFontList.cpp`. The `mFTFace` and `mFTFaceInitialized` members of `gfxFontconfigFontEntry` are not guarded or atomic, and the `UnscaledFontCache` operations in `CreateFontInstance` also lack synchronization [ref_id=1].
What the fix does
The fix makes `mFTFace` an atomic pointer and adds proper synchronization for `mFTFaceInitialized` and the `UnscaledFontCache` operations [ref_id=1]. Three patches were needed: the first addressed the `SharedFTFace` race, the second fixed the `HasVariations()` race, and the third resolved a race in `UnscaledFontCache::Lookup`/`MoveToFront` [ref_id=1]. After all three patches, ThreadSanitizer reported no further issues [ref_id=1].
Preconditions
- inputThe attacker must be able to trigger concurrent font initialization from multiple threads (e.g., via OffscreenCanvas text rendering).
- configThe target must use the fontconfig font backend on a system where FreeType font faces are shared.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.