CVE-2019-9810

HIGH EXPLOITED IN THE WILD

Firefox < 66.0.1 and ESR < 60.6.1 - Memory Corruption via IonMonkey JIT Compiler

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-9810 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 5 public exploits from researchers including Axel Souchet, xuechiyaobai, 0vercl0k.

AI-analyzed exploit summary This exploit leverages a type confusion vulnerability in SpiderMonkey (Firefox's JavaScript engine) to achieve arbitrary read/write primitives, leading to potential remote code execution. It manipulates array lengths and corrupts memory to bypass security checks.

Description

Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.

Exploits (5)

exploitdb WORKING POC
by Axel Souchet · javascriptlocalwindows_x86-64
https://www.exploit-db.com/exploits/47752

This exploit leverages a type confusion vulnerability in SpiderMonkey (Firefox's JavaScript engine) to achieve arbitrary read/write primitives, leading to potential remote code execution. It manipulates array lengths and corrupts memory to bypass security checks.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox (SpiderMonkey JavaScript engine)
No auth needed
Prerequisites: Victim must visit a malicious webpage or execute the JavaScript in a vulnerable Firefox version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by xuechiyaobai · htmldosmultiple
https://www.exploit-db.com/exploits/46605

This exploit leverages a type confusion vulnerability in JavaScript engines (CVE-2019-9810) by manipulating array lengths and species properties to achieve arbitrary memory read/write. It uses JIT compilation and garbage collection to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Mozilla Firefox < 67.0, Firefox ESR < 60.7
No auth needed
Prerequisites: Victim must visit a malicious webpage or execute the script in a vulnerable browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 229 stars
by 0vercl0k · client-side
https://github.com/0vercl0k/CVE-2019-9810

This repository contains a functional exploit for CVE-2019-9810, a bounds-check bypass vulnerability in Firefox's IonMonkey JIT compiler. The exploit achieves remote code execution by leveraging memory corruption to inject and execute a reflective DLL payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox (tested on Windows RS5 64-bit, custom build 68.0a1)
No auth needed
Prerequisites: BigInt support enabled in Firefox · Custom build of Firefox (provided in release)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 68 stars
by xuechiyaobai · poc
https://github.com/xuechiyaobai/CVE-2019-9810-PoC

This repository contains a README describing CVE-2019-9810, a vulnerability in Firefox related to incorrect alias information in Array.prototype.slice. The issue was fixed in Firefox 66.0.1.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Firefox < 66.0.1
No auth needed
Prerequisites: Firefox version < 66.0.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
client-side
https://github.com/0vercl0k/CVE-2019-11708

This repository contains a full exploit chain for CVE-2019-11708 and CVE-2019-9810, targeting Firefox on Windows 64-bit. It leverages a data corruption vulnerability (CVE-2019-9810) to achieve privileged JavaScript execution and then exploits CVE-2019-11708 to compromise the parent process.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Firefox 68.0a1 (custom build)
No auth needed
Prerequisites: BigInt support enabled in Firefox · Windows 19H2 64-bit · Custom Firefox build or provided pre-built binary
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1537924
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0966
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1144

Scores

CVSS v3 8.8
EPSS 0.2951
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-11-08
InTheWild.io 2022-11-09
CWE
CWE-119
Status published
Products (10)
mozilla/firefox < 60.6.1
mozilla/thunderbird < 60.6.1
redhat/enterprise_linux 8.0
redhat/enterprise_linux_eus 8.1
redhat/enterprise_linux_eus 8.2
redhat/enterprise_linux_eus 8.4
redhat/enterprise_linux_server_aus 8.2
redhat/enterprise_linux_server_aus 8.4
redhat/enterprise_linux_server_tus 8.2
redhat/enterprise_linux_server_tus 8.4
Published Apr 26, 2019
Tracked Since Feb 18, 2026