Critical Firefox Bug Leaves 180M Users Exposed

Critical Firefox Bug Leaves 180M Users Exposed

Critical Firefox Bug Leaves 180M Users Exposed

Image generated by Google’s Nano Banana

A hidden WebAssembly bug in Firefox exposed 180 million users to potential code execution.

Written By
Ken Underhill
Ken Underhill
Nov 25, 2025

A subtle but dangerous memory flaw quietly shipped in Firefox for six months — affecting more than 180 million users — before security researchers uncovered it.

The vulnerability allowed attackers to corrupt memory and potentially execute arbitrary code through malformed WebAssembly payloads.

“Aisle’s autonomous AI system uncovered this subtle boundary-condition vulnerability during our WebAssembly security deep dive, revealing meaningful memory-safety risks for roughly 180 million Firefox users,” Stanislav Fort, founder and chief scientist at AISLE, said in a blog post.

He added, “Mozilla moved quickly to deploy a fix. Modern browsers are some of the most secure and rigorously engineered platforms in existence, and this finding highlights the importance of continuous, AI-driven security research to keep them safe for users worldwide.”

The hidden code error that exposed Firefox users

At the core of the vulnerability (CVE-2025-13016) is a subtle pointer arithmetic mistake in Firefox’s WebAssembly garbage-collection (GC) implementation, specifically within the StableWasmArrayObjectElements class, where mismatched pointer types caused incorrect copying of inline array data.

The vulnerable code used byte-addressed pointers (uint8_t*) to determine how much data to copy, but copied the data into a buffer typed as uint16_t. When the template was instantiated for 16-bit values, std::copy() interpreted the byte-based range as a count of typed elements rather than bytes.

As a result, a buffer intended to hold N 16-bit elements received 2N elements instead, overrunning stack memory and corrupting adjacent data structures. The issue was made worse by a second flaw: the copy operation didn’t read from the correct memory location.

Instead of using the dedicated pointer for the array’s data region, the code pulled from inlineStorage(), a location that begins with internal object metadata.

That means the first bytes copied into the buffer weren’t array contents at all — they were structural information about the WebAssembly object itself. This introduces additional unpredictability and increases the chance that corrupted memory can be weaponized during exploitation.

The conditions attackers need to exploit this Firefox bug

Not every execution path in Firefox touches the flawed routine, which is why the vulnerability remained undetected for so long.

The issue occurs only when Firefox falls back to a slower, GC-enabled path for handling WebAssembly arrays — specifically during the conversion of those arrays into strings.

In a typical sequence, WebAssembly code first manipulates an array, such as a char16_t array. Firefox then attempts to convert that array into a string using a fast-path operation designed to avoid garbage collection. However, when certain conditions — most commonly memory pressure — cause that fast path to fail, the browser shifts into a GC-permitted fallback routine.

It is within this fallback that Firefox invokes the vulnerable StableWasmArrayObjectElements constructor, which executes the flawed copy operation and ultimately overflows the stack, corrupting adjacent memory.

In practical attack scenarios, an adversary could deliberately craft a malicious WebAssembly module to manipulate this sequence in their favor.

By creating arrays of specific sizes, intentionally driving the browser into memory pressure to force garbage collection, and repeatedly triggering the array-to-string conversion process, an attacker could reliably push Firefox into the vulnerable fallback path.

This creates a controlled environment in which the resulting memory corruption can be directed toward a chosen target on the stack.

Advertisement

Must-read security coverage

Mitigation strategies for the Firefox vulnerability

Organizations can reduce their exposure to the vulnerability by applying the latest Firefox patches and implementing additional defense-in-depth measures to limit attacker access, contain potential exploitation, and harden browser security.

  • Prioritize deploying Firefox 145 or later (or ESR 140.5+) across all systems and verify version compliance organization-wide.
  • Enforce enterprise browser management policies to limit high-risk features, tighten sandboxing controls, and lock down critical security configurations.
  • Disable WebAssembly temporarily in environments where patching cannot occur immediately, especially on high-exposure endpoints.
  • Monitor browser logs, EDR signals, and crash analytics for WebAssembly-related memory errors or unusual Firefox process behavior.
  • Use network-level defenses — such as DNS filtering, secure web gateways, and domain reputation tools — to block malicious or suspicious web content.
  • Deploy browser isolation or segment high-risk browsing activities to contain threats from users who regularly access untrusted sites.
  • Harden endpoint and operating system defenses by enforcing exploit mitigation settings, application sandboxing, and strict least-privilege access controls.

Together, these measures help strengthen overall cyber resilience.

Editor’s note: This article first appeared on our sister publication, eSecurityPlanet.com.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.