CVE-2019-9791

CRITICAL

Thunderbird <60.6-Firefox <66 - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-9791. PoCs published by Google Security Research, Sp0pielar.

AI-analyzed exploit summary This exploit leverages a type confusion vulnerability in SpiderMonkey's IonMonkey JIT compiler, specifically during on-stack replacement (OSR) in constructor functions. The bug allows arbitrary property manipulation and type inference bypass, leading to potential RCE.

Description

The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor function is entered through on-stack replacement (OSR). This allows for possible arbitrary reading and writing of objects during an exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Google Security Research · javascriptdosmultiple
https://www.exploit-db.com/exploits/46613

This exploit leverages a type confusion vulnerability in SpiderMonkey's IonMonkey JIT compiler, specifically during on-stack replacement (OSR) in constructor functions. The bug allows arbitrary property manipulation and type inference bypass, leading to potential RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla SpiderMonkey (Firefox JavaScript engine)
No auth needed
Prerequisites: Target must be running a vulnerable version of SpiderMonkey (pre-fix for CVE-2019-9791)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Sp0pielar · poc
https://github.com/Sp0pielar/CVE-2019-9791

This exploit chain combines CVE-2019-9791 and CVE-2019-11708 to achieve arbitrary code execution in Firefox 65.0 on Windows 64-bit. It leverages type confusion to obtain read/write primitives in the content process and escalates to the main process.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Firefox 65.0
No auth needed
Prerequisites: Firefox 65.0 on Windows 64-bit · User interaction to trigger the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1530958
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0966
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1144

Scores

CVSS v3 9.8
EPSS 0.1976
EPSS Percentile 97.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-843
Status published
Products (10)
mozilla/firefox < 60.6.0
mozilla/thunderbird < 60.6.0
redhat/enterprise_linux 8.0
redhat/enterprise_linux_eus 8.1
redhat/enterprise_linux_eus 8.2
redhat/enterprise_linux_eus 8.4
redhat/enterprise_linux_server_aus 8.2
redhat/enterprise_linux_server_aus 8.4
redhat/enterprise_linux_server_tus 8.2
redhat/enterprise_linux_server_tus 8.4
Published Apr 26, 2019
Tracked Since Feb 18, 2026