In September 2023, Mozilla published a security advisory for CVE-2023-5171, a dangerous vulnerability in their JavaScript engine, IonMonkey. This bug could let bad actors crash your browser or even run malicious code—all they need is to get you to visit a crafted webpage. The affected versions are:
Thunderbird < 115.3
Let’s break down how this bug works, how it can be triggered, and what makes it such a valuable target for attackers.
What Is IonMonkey?
IonMonkey is Firefox’s high-performance Just-In-Time (JIT) compiler for JavaScript. It takes normal JavaScript code and converts it into faster machine code while the browser is running a page. To optimize things, IonMonkey interacts deeply with memory and objects. This is great for speed, but dangerous if corners get cut or unexpected things happen—like a garbage collection (GC) at just the wrong time.
How It Happens
During IonMonkey’s compilation process, the engine may trigger a garbage collection. If certain objects are cleaned up, but IonMonkey's code keeps a pointer to them, we end up with a classic use-after-free bug. That means the browser tries to access memory that used to belong to a JavaScript object, but now could belong to something else—or could be unmapped.
Mozilla’s bug tracker describes the problem like this:
> During Ion compilation, a GC could lead to a use-after-free, potentially letting an attacker write two NUL bytes and crash or exploit the browser.
The critical point: if an attacker can control what gets re-allocated at the freed memory, they can influence what gets overwritten with those “two NUL bytes”. This could potentially corrupt a function pointer or an important object—a stepping stone to code execution.
Simple PoC Code Example
Here’s a simplified JavaScript example that triggers the bug (adapted from bug reports, for educational purposes only):
function corrupt() {
let arr = [1337];
function loader() {
// force GC in the middle of compilation
for (let i = ; i < 100000; ++i) {}
arr[] = 1338;
}
loader();
}
for (let i = ; i < 100; ++i) {
corrupt();
}
This code tries to stress IonMonkey’s compiler and garbage collector at the same time, creating the weird conditions where a use-after-free might occur. In real-world attacks, there would be a lot more setup and effort to control what memory gets reused.
The Exploit: Writing 2 NUL Bytes
Unlike many use-after-free bugs that allow arbitrary code execution, CVE-2023-5171 lets attackers reliably overwrite the freed memory with two zero bytes (\x00\x00). While this may seem minor, it’s often enough to corrupt data structures, wipe out function pointers (set them to zero), or even “short-circuit” attributes on objects. Attackers can use this to crash the browser—sometimes leading to more serious hijacking.
Why Two NUL Bytes?
- The specifics are buried deep in how IonMonkey handles memory during compilation; at the moment of re-use, a short write is triggered.
- In practice, attackers chain multiple vulnerabilities, using this bug to first destabilize memory and then follow up with something more dangerous.
Crash: Easy to achieve with enough attempts; this is a classic denial-of-service.
- Potential Exploit: With enough skill and luck, one might build an exploit chain—especially on systems where security mitigations are weaker.
Patching the Bug
Mozilla fixed this in Firefox 118 (and ESR 115.3). The patch ensures that any pointers kept by IonMonkey coordinators are “nulled out” if garbage collection occurs, so they never touch memory that’s been freed. View the commit in Mozilla's code.
What Should I Do?
Update your browser.
This cannot be stressed enough—just closing suspicious tabs isn't good enough if you’re still running an old version.
- For Firefox: Download Latest
- For Thunderbird: Download Latest
References & More Reading
- NVD entry for CVE-2023-5171
- Mozilla Security Advisory 2023-40
- Original Bugzilla report
- Mozilla Patch Commit
Conclusion
CVE-2023-5171 is a great example of how complex browser internals sometimes interact in ways no one expected, opening doors for attackers. Even a “simple” two-byte overwrite can lead to major trouble: memory safety is everything.
Timeline
Published on: 09/27/2023 15:19:00 UTC
Last modified on: 10/12/2023 02:52:00 UTC