CVE-2024-29943 - How Firefox’s Range Check Elimination Bug Led to a Critical Out-of-Bounds Exploit
Mozilla Firefox is known for its frequent security updates, but even the best teams can miss a critical bug. In March 2024, a dangerous vulnerability—CVE-2024-29943—was discovered and patched. This bug allowed attackers to bypass JavaScript’s internal safety checks, leading to out-of-bounds memory access. If you use Firefox versions earlier than 124..1, you need to know about this.
In this article, I’ll break down what happened, show some simple code examples, link to official sources, and walk you through how an attacker could have exploited this bug, all in easy language.
What is CVE-2024-29943?
CVE-2024-29943 is a security flaw affecting Firefox versions before 124..1. The heart of this bug is how JavaScript code is optimized by Firefox’s Just-In-Time (JIT) compiler.
In the right situation, Firefox can “skip” some of its usual checks on array bounds if it thinks code can never exceed the array’s size. An attacker figured out how to fool this optimization and gain access to memory they shouldn’t have, or even overwrite data. This is called an out-of-bounds read/write.
How Does the Exploit Work?
To understand the bug, let’s look at a simplified version.
Suppose you have this JavaScript
function sum(arr) {
let total = ;
for (let i=; i<arr.length; i++) {
total += arr[i];
}
return total;
}
Normally, Firefox checks that i never goes past arr.length, so accessing arr[i] is safe.
But Firefox’s JIT wants code to run even faster. If it thinks i will always stay within the correct range, it might remove the check. The bug is that an attacker can trick the JIT into making a false assumption, then slip in a value of i that is out of range.
Here’s how a hacker might do this
let arr = [1, 2, 3, 4, 5];
// This function is repeatedly called so Firefox's JIT will optimize it
function trigger(idx) {
if (idx < arr.length) {
arr[idx] = 1337;
}
}
for (let i=; i<10000; i++) trigger(2); // Trains the JIT
// Now call with a huge index
trigger(100); // Out-of-bounds!
After training the JIT by calling trigger() harmlessly many times, the attacker passes in a bad index. If the JIT skipped the bounds check, this line would write to memory outside arr—letting the attacker change or read data elsewhere in Firefox.
Simple example, real-world exploits are more complex, often using various tricks to control what memory gets read or written. But the idea is the same.
Proof-of-Concept (PoC)
The Project Zero security team is famous for reporting these types of bugs. Here’s a reference to their analysis and exploit details for similar JIT vulnerabilities:
- Project Zero blog on JIT bugs (for background)
Mozilla’s bug report and PoC code (if shared) can be found at
- Mozilla Bugzilla: CVE-2024-29943
Real-World Impact
If you visited a malicious website before Firefox 124..1, this bug could have been exploited silently:
Crash your browser, causing loss of work or more serious attacks.
This bug was rated critical because it breaks Firefox’s security promises and could have allowed *remote code execution*.
How Did Mozilla Fix It?
As soon as the bug was found, Mozilla’s developers updated the JIT compiler to add *extra* checks. Now, Firefox is more careful about when it skips safety tests and verifies array accesses every time, even after optimization.
What Should You Do?
Update Firefox immediately. If you’re not running version 124..1 or later, you’re putting your data and computer at risk. Get the latest here:
- Download Firefox
If you run a desktop fleet or manage others’ computers, check your clients’ versions and automate updates where possible.
References
- Mozilla Security Advisory for CVE-2024-29943
- CVE-2024-29943 Entry at NVD
- Bugzilla entry for 1871049
- Background on JIT exploits – Project Zero
Keep learning, and always be skeptical of security that relies on “smart optimizations.” Bugs like CVE-2024-29943 show that the devil is in the details—even in modern browsers.
Timeline
Published on: 03/22/2024 13:15:07 UTC
Last modified on: 08/12/2024 17:35:03 UTC