CVE-2016-1960

HIGH

Mozilla Firefox <45.0 - Firefox ESR 38.x <38.7 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-1960. PoCs published by Rh0, Hans Jerry Illikainen.

AI-analyzed exploit summary This exploit leverages CVE-2017-5375 (and CVE-2016-1960) to bypass ASLR and DEP in Firefox 44.0.2 using an ASM.JS JIT spray technique. It manipulates Node objects and triggers a vulnerability to achieve arbitrary code execution, demonstrated by launching calc.exe.

Description

Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) by leveraging mishandling of end tags, as demonstrated by incorrect SVG processing, aka ZDI-CAN-3545.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Rh0 · htmlremotewindows

https://www.exploit-db.com/exploits/44294

View Code ZIP pw:eip

This exploit leverages CVE-2017-5375 (and CVE-2016-1960) to bypass ASLR and DEP in Firefox 44.0.2 using an ASM.JS JIT spray technique. It manipulates Node objects and triggers a vulnerability to achieve arbitrary code execution, demonstrated by launching calc.exe.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Firefox 44.0.2 32-bit

No auth needed

Prerequisites: Firefox 44.0.2 32-bit on Windows 10 1709 · Network access to serve the PoC

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Hans Jerry Illikainen · htmlremotewindows

https://www.exploit-db.com/exploits/42484

View Code ZIP pw:eip

This exploit targets a vulnerability in Mozilla Firefox < 45.0, specifically an nsHtml5TreeBuilder array indexing flaw, to achieve remote code execution (RCE) via a crafted HTML page. It includes a ROP chain and shellcode to bypass EMET 5.52 and execute arbitrary commands (e.g., calc.exe).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Mozilla Firefox < 45.0

No auth needed

Prerequisites: Victim must visit a malicious webpage using Firefox < 45.0 · WoW64 environment (Windows 7/10)

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (25)

Core 25

Core References

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00091.html

Vendor Advisory x_refsource_confirm

http://www.mozilla.org/security/announce/2016/mfsa2016-23.html

Issue Tracking x_refsource_confirm

https://bugzilla.mozilla.org/show_bug.cgi?id=1246014

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00068.html

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00006.html

Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00027.html

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00008.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00089.html

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2917-1

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3520

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00007.html

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44294/

Third Party Advisory x_refsource_misc

http://zerodayinitiative.com/advisories/ZDI-16-198/

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00093.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3510

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1035215

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00050.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201605-06

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2934-1

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42484/

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2917-2

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2917-3

Scores

CVSS v3 8.8

EPSS 0.8646

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published

Products (22)

mozilla/firefox 38.0

mozilla/firefox 38.0.1

mozilla/firefox 38.0.5

mozilla/firefox 38.1.0

mozilla/firefox 38.1.1

mozilla/firefox 38.2.0

mozilla/firefox 38.2.1

mozilla/firefox 38.3.0

mozilla/firefox 38.4.0

mozilla/firefox 38.5.0

... and 12 more

Published Mar 13, 2016

Tracked Since Feb 18, 2026