Firefox AttributeChildRemoved Use After Free

Added: 05/21/2012
CVE: CVE-2011-3659
BID: 51755
OSVDB: 78736


Firefox is a freely available web browser for multiple platforms including Windows, Linux, and Mac OS.


In Firefox version prior to 3.6.26, and 4.0 through 9.0, when removing child objects from the DOM tree, the removed child may still be accessible. A call to the AttributeChildRemoved method takes place before actually removing the child. This may cause certain mutation observers to maintain a reference to the object after it has been freed, which could result in a heap overflow condition if the object is accessed again. An attacker could leverage this vulnerability to control execution on the target system.


For Firefox 3.x, upgrade to Firefox 3.6.26 or later. For Firefox 4.x or above, upgrade to Firefox 10.0 or later.



This exploit has been tested against Mozilla Foundation Firefox 8.x and 9.x on Windows XP SP3 English (DEP OptIn). Due to the nature of this vulnerability, the exploit may not be completely reliable against all vulnerable targets.



Back to exploit index