CVE-2023-29543
Description
An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Firefox's debugger vector could allow memory corruption and potential code execution.
Vulnerability
CVE-2023-29543 is a use-after-free vulnerability in a global object's debugger vector, leading to memory corruption. The bug occurs in JavaScript engine handling of debugger operations, specifically involving garbage collection interactions. Affected versions are Firefox < 112, Firefox for Android < 112, and Focus for Android < 112 [1]. The bug report [2] shows a crash stack trace indicating a use-after-free read barrier on a debugger object.
Exploitation
An attacker can trigger this vulnerability by hosting a crafted web page that executes JavaScript designed to exercise the debugger vector path. The exploitation requires no special privileges beyond web navigation, as the bug is reachable through standard web content. The sample in the bug report is described as flaky and requires multiple attempts to trigger, suggesting a race condition or specific timing [2].
Impact
Successful exploitation could result in memory corruption and a potentially exploitable use-after-free condition. This could lead to arbitrary code execution within the browser's sandbox, potentially allowing an attacker to execute commands or access sensitive data. The vulnerability is rated high impact by Mozilla [1].
Mitigation
The vulnerability is fixed in Firefox 112, Firefox for Android 112, and Focus for Android 112, released on April 11, 2023 [1]. Users should update to these versions or later. No workarounds are available.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 112.0.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free of a pointer in a global object's debugger vector, leading to memory corruption during GC barrier operations."
Attack vector
An attacker triggers a use-after-free of a pointer in a global object's debugger vector [ref_id=1]. The bug is triggered by running a crafted JavaScript sample (crash2.js) that causes memory corruption during GC barrier operations, as shown by the stack trace reaching `js::WeakHeapPtr
Affected code
The crash occurs in the garbage collector (GC) barrier code, specifically in `js::gc::detail::CellHasStoreBuffer` and `js::gc::ReadBarrierImpl`, called through `js::WeakHeapPtr
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] reports the crash as a GC/debugger issue, and the fix was applied in the Firefox 112 release cycle. Without the patch diff, the specific code change cannot be described, but the vulnerability was addressed in Firefox 112, Firefox for Android 112, and Focus for Android 112.
Preconditions
- inputThe attacker must be able to execute arbitrary JavaScript in the victim's browser.
- inputThe crash is flaky and may require many executions (hundreds of attempts) to reproduce reliably.
Reproduction
Place the attached crash2.js file at the root of the Firefox source folder. Place the provided Python script (which runs `rr record` in a loop) alongside it at the root. Run the script; it will execute the Firefox build on git commit b25ff1fab82c2d3a91531ad3735e50422407b163 repeatedly until the crash is detected. The script removes the rr output directory (/tmp/BBB) unless a crash is found. The crash may take a couple of hundred executions to trigger [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.