CVE-2023-29544
Description
If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Firefox's garbage collector could cause memory corruption and a crash when multiple resource exhaustion events occur simultaneously.
Vulnerability
A vulnerability exists in the garbage collector of Firefox, Firefox for Android, and Focus for Android versions prior to 112 [1]. When multiple instances of resource exhaustion occur at an incorrect time, the garbage collector can enter an inconsistent state, leading to memory corruption [2]. The issue manifests as an assertion failure !hasDelayedMarking() in js/src/gc/GC.cpp:1370, indicating that marking work was unexpectedly pending during sweeping [2]. This race condition can be triggered by feeding multiple JavaScript files through the REPRL interface, though it is flaky and difficult to reproduce reliably [2].
Exploitation
An attacker would need to craft a set of JavaScript files that, when executed in sequence, cause resource exhaustion events to overlap in a way that triggers the race condition in the garbage collector [2]. The attack requires no special privileges beyond the ability to run JavaScript code in the browser or browser-like environment. The crash is flaky; on the reporter's machine, it took 50-100 runs to trigger [2]. There is no indication that this could be reliably triggered remotely without user interaction, as it depends on precise timing of garbage collection phases.
Impact
If successfully triggered, the vulnerability leads to memory corruption, which could result in a potentially exploitable crash [1][2]. The attacker could cause a denial of service (browser crash) and, potentially, arbitrary code execution if the memory corruption is further exploited. The impact is rated as high by Mozilla [1]. The exact privilege level gained is not detailed, but memory corruption in a browser process could allow sandbox escape or remote code execution.
Mitigation
The vulnerability is fixed in Firefox 112, Firefox for Android 112, and Focus for Android 112, released on April 11, 2023 [1]. Users should update their browsers to the latest versions. No workarounds are available for older, unsupported versions. This CVE is not listed on the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 112.0.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Resource exhaustion occurring at an incorrect time during garbage collection causes delayed marking state corruption, violating an assertion in the sweep phase."
Attack vector
An attacker triggers resource exhaustion at an incorrect time during garbage collection, causing the assertion `!hasDelayedMarking()` to fail in `GCRuntime::assertNoMarkingWork` [ref_id=1]. This memory corruption can lead to a potentially exploitable crash. The vulnerability is triggered via crafted JavaScript files fed through the js-shell's reprl interface, and the crash is flaky, requiring many repeated attempts (50–100 runs) [ref_id=1].
Affected code
The crash occurs in `js/src/gc/GC.cpp` at the assertion `!hasDelayedMarking()` inside `GCRuntime::assertNoMarkingWork`, called from `GCRuntime::endSweepingSweepGroup` in `js/src/gc/Sweeping.cpp`. The garbage collector's sweep phase is the code path at fault [ref_id=1].
What the fix does
The bundle does not include a patch diff. The advisory (Bugzilla entry) describes the issue as an assertion failure `!hasDelayedMarking()` in the garbage collector's sweep phase, but no fix is published in the provided materials [ref_id=1]. The remediation for users is to update to Firefox >= 112, Firefox for Android >= 112, and Focus for Android >= 112, as stated in the CVE description.
Preconditions
- inputThe attacker must be able to execute crafted JavaScript that triggers resource exhaustion at an incorrect time during garbage collection.
- inputThe crash is flaky and requires repeated execution (50–100 runs on average) to manifest.
Reproduction
The bundle includes a PoC reproduction method via the js-shell's reprl interface. Apply `js.patch` to the shell, then run `reprl2.py` which feeds 4 `.js` files repeatedly. Execute `while true; do python3 reprl2.py; done;` — the script exits on non-crash runs and freezes when the assertion violation triggers, typically after 50–100 iterations [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.