CVE-2016-9079

HIGH KEV

SVG Animation - Use After Free

Title source: llm

Exploitation Summary

CVE-2016-9079 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 22, 2023. EIP tracks 6 public exploits from researchers including Metasploit, Rh0, dangokyo, including a Metasploit module exploits/windows/browser/firefox_smil_uaf.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-9079, a use-after-free vulnerability in Firefox's nsSMILTimeContainer::NotifyTimeChange() function. It achieves remote code execution on Windows by manipulating SVG elements and heap spraying.

Description

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/41151

View Code ZIP pw:eip

This Metasploit module exploits CVE-2016-9079, a use-after-free vulnerability in Firefox's nsSMILTimeContainer::NotifyTimeChange() function. It achieves remote code execution on Windows by manipulating SVG elements and heap spraying.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Mozilla Firefox (multiple versions)

No auth needed

Prerequisites: Target must be using a vulnerable version of Firefox on Windows · Target must visit a malicious webpage or be redirected to one

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Rh0 · htmlremotewindows

https://www.exploit-db.com/exploits/42327

View Code ZIP pw:eip

This exploit leverages CVE-2017-5375 to bypass ASLR and DEP in Firefox 50.0.1 using an asm.js JIT spray technique, ultimately executing a shellcode payload that spawns cmd.exe.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Firefox 50.0.1 (32-bit)

No auth needed

Prerequisites: Firefox 50.0.1 (32-bit) on Windows 8.1/10 · Network access to serve the PoC

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 7 stars

by dangokyo · client-side

https://github.com/dangokyo/CVE-2016-9079

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2016-9079, targeting a memory corruption vulnerability in the V8 JavaScript engine. The exploit uses a combination of heap spraying and vtable manipulation to achieve arbitrary code execution, demonstrated by launching 'xcalc'.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Chromium/Chrome V8 JavaScript engine (specific version not specified)

No auth needed

Prerequisites: Target system running a vulnerable version of Chromium/Chrome with V8 engine · Ability to execute arbitrary JavaScript in the target context

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Tau-hub · client-side

https://github.com/Tau-hub/Firefox-CVE-2016-9079

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2016-9079, targeting a remote code execution vulnerability in Firefox via the nsSMILTimeContainer component. The exploit uses memory manipulation and ROP chains to achieve arbitrary code execution on Windows 8.1 x64 with Firefox 38.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Mozilla Firefox 38

No auth needed

Prerequisites: Victim must visit a malicious webpage hosted by the attacker · Firefox 38 on Windows 8.1 x64

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by LakshmiDesai · client-side

https://github.com/LakshmiDesai/CVE-2016-9079

View Code ZIP pw:eip

This is a functional exploit PoC for CVE-2016-9079, targeting a memory corruption vulnerability in Firefox. The code includes memory manipulation, ROP chain construction, and shellcode execution, indicative of a remote code execution (RCE) exploit.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Mozilla Firefox (versions 41.0-42.0, 43.0 and later)

No auth needed

Prerequisites: Victim must be using a vulnerable version of Firefox · JavaScript execution must be enabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Anonymous Gaijin · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/firefox_smil_uaf.rb

View Code ZIP pw:eip

This Metasploit module exploits a use-after-free vulnerability in Firefox's nsSMILTimeContainer::NotifyTimeChange() function, targeting versions 38 to 41 on Windows. It leverages heap spraying and SVG animation manipulation to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Mozilla Firefox 38-41

No auth needed

Prerequisites: Target must be using a vulnerable version of Firefox (38-41) on Windows · Target must visit a malicious webpage hosting the exploit

MITRE ATT&CK