CVE CyberSecurity Database News

CVE-2023-5169 - Understanding the Dangerous Firefox PathRecording Out-of-Bounds Write Vulnerability

Poster -

In September 2023, Mozilla announced the discovery of a high-severity security vulnerability, tracked as CVE-2023-5169. This bug could allow an attacker to crash privileged processes (like the browser’s parent process) or potentially execute code, just by compromising a web content process. The issue lay in how Mozilla’s graphics code handled something called PathRecording. In this post, we'll dive deep into what happened, how it could be exploited, and what you can do to protect yourself.

What Is CVE-2023-5169?

Firefox, Thunderbird, and other Mozilla-based applications run web content in separate content processes for security. These processes send data back and forth to the more privileged parent process. Due to a mistake in the code that handles graphics paths (shapes drawn in Firefox), a malicious website could send specially crafted PathRecording data that, when parsed, could cause an out-of-bounds write in privileged memory.

Affected versions:

Thunderbird before 115.3

Original Mozilla security advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/#CVE-2023-5169

What is PathRecording?

PathRecording is a serialization format that stores drawing instructions (for example, "draw this line, then that curve") to replay in another process. It allows Firefox to delegate complex drawing safely — unless there’s a parsing bug.

The Vulnerability

When parsing a path, the browser expected the data to look a certain way. But the code didn't properly verify if the received content actually fit within memory bounds. If a malicious site delivered oversized or corrupted path data, it could trigger an out-of-bounds memory write in the parent process.

This is dangerous: when a process writes outside of its allocated memory, it can corrupt adjacent memory. With skill, an attacker might turn this into remote code execution (RCE).

Simplified Code Snippet

Below is a fake but illustrative C++-ish example to give you a sense of the problem (based on public info):

void ReadPathRecording(const uint8_t* data, size_t size) {
    // 'num_points' comes from attacker-controlled data
    uint32_t num_points = *(uint32_t*)data;
    const size_t needed = num_points * sizeof(Point);
    if (needed > size) {
        // Intended: fail gracefully
        return;
    }
    // BAD: No robust bounds checking
    Point* points = new Point[num_points];
    memcpy(points, data + sizeof(uint32_t), needed);
    // ...
}

A malicious content process can set num_points to a huge value. If the bounds check is incorrect or missing, the code may overwrite variables beyond the points array — causing a crash (denial of service) or, in the worst case, code execution.

For more technical details, see the bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1851616

Demonstrating the Impact

Exploit scenario:

A user visits an evil website.

2. The website executes code in the content process that writes maliciously-crafted PathRecording data.

When Firefox’s parent process tries to parse this data, its memory is corrupted.

4. The parent process crashes (denial of service), or, if the attacker is advanced, code is executed with higher privileges — potentially escaping the browser’s sandbox.

Proof-of-Concept (Illustrative Only)

Note: There is no public working exploit as of the time of writing. But this demonstrates how one might trigger the bug:

// In a compromised content process:
let badPathData = new ArrayBuffer(1024);
let dataView = new DataView(badPathData);
dataView.setUint32(, x40000000, true); // num_points = very big number

// Send 'badPathData' to the parent process as a fake path recording
// Parent tries to parse this == crash!

Mitigation and Fix

Mozilla's fix:
Mozilla released updates in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 that add stricter bounds checks, ensuring attackers can't write out-of-bounds memory via PathRecording parsing. If you use any affected software, *update immediately*.

- Firefox downloads
- Thunderbird downloads

Conclusion

CVE-2023-5169 is another real-world example of how complex graphics processing can become a risky attack surface, especially in multi-process browsers like Firefox. Thanks to Mozilla’s quick patch, users are protected — as long as they keep their browsers up to date. If you’re managing multiple computers or software deployments, make sure to update your browsers and email clients as soon as possible.

References

- Mozilla Security Advisory 2023-40
- Bugzilla Report 1851616
- Common Weakness Enumeration: CWE-787 Out-of-bounds Write


*This explanation is original and written in plain language for educational purposes. For the most accurate technical details, refer to official Mozilla advisories and source code.*

Timeline

Published on: 09/27/2023 15:19:00 UTC
Last modified on: 10/09/2023 16:15:00 UTC