CVE-2010-3765

CRITICAL KEV

Mozilla Firefox 3.5.x-3.5.14 and 3.6.x-3.6.11 - Remote Code Execution via nsCSSFrameConstructor

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2010-3765 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 6, 2025. EIP tracks 5 public exploits from researchers including Metasploit, anonymous, extraexploit, including a Metasploit module exploits/windows/browser/mozilla_interleaved_write.

AI-analyzed exploit summary This Metasploit module exploits CVE-2010-3765, a vulnerability in Mozilla Firefox 3.6.8-3.6.11 caused by interleaved calls to document.write and appendChild, leading to remote code execution.

Description

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16509

This Metasploit module exploits CVE-2010-3765, a vulnerability in Mozilla Firefox 3.6.8-3.6.11 caused by interleaved calls to document.write and appendChild, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mozilla Firefox 3.6.8 - 3.6.11
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable Firefox version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by anonymous · htmlremotewindows
https://www.exploit-db.com/exploits/15352

This exploit targets a memory corruption vulnerability in Firefox 3.6.x (CVE-2010-3765) via a heap spray technique. It uses JavaScript to trigger the vulnerability and execute shellcode, achieving remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox 3.6.8-3.6.11
No auth needed
Prerequisites: Victim must be using a vulnerable version of Firefox (3.6.8-3.6.11) on Windows 7 or earlier
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by extraexploit · htmldosmultiple
https://www.exploit-db.com/exploits/15342

This is a proof-of-concept exploit for CVE-2010-3765, which targets a use-after-free vulnerability in Microsoft Internet Explorer. The exploit manipulates DOM elements to trigger a crash, demonstrating the vulnerability.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Internet Explorer (versions 6, 7, and 8)
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Daniel Veditz · htmldosmultiple
https://www.exploit-db.com/exploits/15341

This exploit triggers a denial-of-service (DoS) condition in Mozilla Firefox by exhausting memory through rapid DOM element creation and attribute enumeration. The crashme() function iteratively generates HTML elements with attributes, leading to a browser crash.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Mozilla Firefox (versions affected by CVE-2010-3765)
No auth needed
Prerequisites: Victim must visit a malicious webpage or click the 'Crash Me!' button
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by unknown, scriptjunkie · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/mozilla_interleaved_write.rb

This Metasploit module exploits a memory corruption vulnerability in Mozilla Firefox (CVE-2010-3765) by interleaving calls to document.write and appendChild, leading to arbitrary code execution. It includes version-specific ROP chains and shellcode for Firefox 3.6.8-3.6.11 on Windows XP/Server 2003.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox 3.6.8-3.6.11
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (52)

Core 52
Core References
Vendor Advisory x_refsource_confirm
http://support.avaya.com/css/P8/documents/100114335
Vendor Advisory x_refsource_confirm
http://support.avaya.com/css/P8/documents/100114329
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/44425
Vendor Advisory vendor-advisory x_refsource_redhat
https://rhn.redhat.com/errata/RHSA-2010-0812.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2837
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=646997
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41965
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41975
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0896.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0808.html
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/15341
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024651
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41761
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=607222
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050233.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41969
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1011-3
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-1011-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024650
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1011-2
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0809.html
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:219
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42867
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2857
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0061
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2010/dsa-2124
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024645
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42043
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41966
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:213
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42008
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050061.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2871
Various Sources x_refsource_misc
http://isc.sans.edu/diary.html?storyid=9817
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0810.html
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/15352
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12108
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42003
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050077.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0861.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/050154.html
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/15342
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2864

Scores

CVSS v3 9.8
EPSS 0.8677
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-10-06
VulnCheck KEV 2010-10-27
InTheWild.io 2017-09-19
ENISA EUVD EUVD-2010-3744
CWE
CWE-119
Status published
Products (43)
mozilla/firefox 3.5
mozilla/firefox 3.5.1
mozilla/firefox 3.5.2
mozilla/firefox 3.5.3
mozilla/firefox 3.5.4
mozilla/firefox 3.5.5
mozilla/firefox 3.5.6
mozilla/firefox 3.5.7
mozilla/firefox 3.5.8
mozilla/firefox 3.5.9
... and 33 more
Published Oct 28, 2010
KEV Added Oct 06, 2025
Tracked Since Feb 18, 2026