Closed Bug 1984551 Opened 5 months ago Closed 5 months ago

Firefox Animation Timeline Memory Corruption - SIGSEGV in Child Process (CVE-2024-9680 Pattern)

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Version:
Firefox 142
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1984552

People

(Reporter: arkitekt333, Unassigned)

Details

(Keywords: reporter-external)

Firefox Animation Timeline Memory Corruption Vulnerability

Executive Summary

We have discovered a memory corruption vulnerability in Firefox's Web Animations API implementation that causes child process crashes (SIGSEGV) through specific animation timeline manipulation sequences. This vulnerability follows patterns similar to CVE-2024-9680 and occurs when currentTime is set to null followed by immediate duration property access.

Technical Details

Root Cause: Use-after-free condition in animation timeline state management
Trigger Sequence:

  1. Create complex multi-keyframe animation
    1. Set animation.currentTime to active state
    1. Set animation.currentTime = null (creates dangling reference)
    1. Immediately access animation.effect.getComputedTiming().duration (use-after-free)
      Evidence of Exploitation:
  • Process crash: "process 298403 exited on signal 11"
    • Signal 11 (SIGSEGV) = Segmentation Fault
    • Child process crash in IPC context
    • Mozilla crash dumps captured

Impact Assessment

  • Immediate: Child process crash (Denial of Service)
    • Potential: Memory corruption leading to Remote Code Execution
    • Attack Vector: Web-based (malicious website)
    • User Interaction: Visit webpage (no additional interaction required)

Affected Versions

  • Confirmed: Firefox 142.0b5 (Beta)
    • Likely: Other recent Firefox versions

Proof of Concept

Multiple working proof-of-concept files demonstrating the vulnerability:

  1. Comprehensive fuzzer targeting 5 attack vectors
    1. Minimal reproduction case for consistent crashes
    1. Professional demonstration with impact analysis

Similar CVEs

This vulnerability follows patterns similar to CVE-2024-9680 (animation timeline memory corruption exploited as zero-day).

Researchers

Javier Gonzalez & Claude AI Assistant
Research conducted ethically for responsible disclosure.

Duping to bug 1984552 as it appears this was submitted twice and 1984552 has the attachments.

Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Duplicate of bug: 1984552
Resolution: --- → DUPLICATE
Group: core-security → layout-core-security
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.