CVE-2023-29535 - How a WeakMap, Garbage Collection, and Race Conditions Led to Firefox’s Major Memory Corruption Bug

Mozilla’s Firefox is known for putting user security first, but even the best browsers aren’t immune to subtle memory bugs. CVE-2023-29535 is one such vulnerability that serves as a textbook example of how complex memory management can lead to dangerous conditions—even in mature codebases maintained by teams that take security seriously.

What is CVE-2023-29535?

CVE-2023-29535 is a memory corruption vulnerability in Firefox (and related Mozilla products like Thunderbird and Focus for Android). It was discovered when developers found WeakMaps could be accessed *after* a special “garbage collection” process called compaction. The problem: these WeakMaps could be accessed before they were fully and safely updated—a kind of race condition that left holes for hackers.

Thunderbird < 102.10

If you use a supported, auto-updating version, you should be safe. But check your version just in case!

Let’s translate the bug.

Firefox (and related Mozilla software) is written mostly in C++ and Rust. It uses JavaScript’s WeakMap objects—which hold key/value pairs, but the map’s entries don’t prevent garbage collection of the keys.

When Firefox’s garbage collector runs (to free up memory), sometimes it does a big operation called a compaction—it moves objects around to reclaim fragmented memory.

Here’s the bug: After compaction, WeakMaps could be accessed before they were updated to point to the new memory locations. This meant pointers inside WeakMap could still point to freed (invalid) memory, causing memory corruption.

In practical terms: If a malicious website (using JavaScript) could trigger this process just right, and then access a WeakMap, it might cause a browser crash, or—checked by a skilled exploit developer—run arbitrary code.

Exploiting CVE-2023-29535: How a Hacker Might Attack

Let’s look at a simple, stripped-down (but illustrative) example in JavaScript. This is not an actual full exploit, but represents the basic mechanism at play.

// Step 1: Create WeakMap and related objects
let targets = [];
let wm = new WeakMap();

for (let i = ; i < 10000; i++) {
    let obj = {};
    targets.push(obj);
    wm.set(obj, "value" + i);
}

// Step 2: Drop references to some targets, then force a hard GC
for (let i = ; i < 999; i++) {
    targets[i] = null;
}

// Step 3: Try to trigger GC compaction
for (let i = ; i < 100; i++) {
    let temp = {};
}

// This is a simplified view; the real exploit would try to time this
// so that the WeakMap's internal pointers are stale.

// Step 4: Access WeakMap in certain ways to try and cause UAF
console.log(wm.has(targets[9999])); // Could lead to use-after-free in vulnerable version

A real attacker would use multiple threads, complex patterns, and well-timed calls to try to *predict* when the garbage collector compacts memory.

Escalate control, escape the browser sandbox, or steal sensitive browser process data

The Mozilla security team flagged this as potentially exploitable, meaning they believe attackers could use this path for serious exploits. As with many memory safety bugs, reliable exploitation may be tricky—but don’t underestimate the creativity of attackers.

Why Did This Bug Happen?

The core issue: Race Condition after Garbage Collection Compaction

- WeakMaps should only be accessed after all their entries are traced and updated following a compaction.
- In the vulnerable versions, this wasn’t always the case: code could *use* a WeakMap before it was “fully fixed up.”
- If the browser reuses that now-freed memory (previous WeakMap pointer) for something else, accessing the old pointer means unpredictable behavior.

This type of error is common in lower-level languages (like C/C++), even when lots of care is taken.

How Do I Stay Safe? (And How Did Mozilla Respond?)

Update your browser!  
- Make sure your Firefox, Thunderbird, or mobile version is at least the versions listed above (or newer).

Enable automatic updates

Security note: Modern browsers get *many* security updates every year. Even if you think “I’m just a careful user,” a single unpatched bug can put you at risk.

Mozilla fixed this bug promptly. Read more about their fix in the Mozilla bug tracker link below.

NVD Entry:

CVE-2023-29535 summary and details

Mozilla Security Advisory:

MFSA 2023-15: Memory corruption

Bugzilla report:

Bug 1827576: WeakMap UAF after GC compaction

WeakMap basics:

MDN: WeakMap

Garbage Collection in SpiderMonkey:

MozillaWiki: GC in SpiderMonkey
- Live exploit writing (for education): Browser bug exploitation, part 1

Conclusion

CVE-2023-29535 is a great example of how a subtle, low-level race condition in the heap management of everyday JavaScript objects can lead to browser crashes and potentially to major security risks. Fortunately, thanks to Mozilla’s patch and your browser’s update mechanism, most users will simply remain safe in the background.

If you run managed machines, audit your patch management.  
If you’re a developer, learn from this: memory safety and garbage collection are still complex, even in “safe” high-level languages like JavaScript.

Stay safe—and keep those browsers up to date!

*This article is provided for educational purposes only. Always use security knowledge responsibly.*

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 03:57:00 UTC