Cyber Resilience

CVE-2019-17026

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 02 March 2020

Published
02 March 2020
Modified
04 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5619 98.1th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-17026 is a high-severity Type Confusion (CWE-843) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability CVE-2019-17026 is a type confusion flaw (CWE-843) caused by incorrect alias information in Mozilla's IonMonkey JIT compiler when setting array elements. It affects Firefox versions prior to 72.0.1, Firefox ESR versions prior to 68.4.1, and Thunderbird versions prior to 68.4.1, and carries a CVSS 3.1 score of 8.8.

An attacker can trigger the flaw by serving a malicious web page that causes the JIT compiler to mis-track object types, enabling subsequent memory corruption. Successful exploitation grants arbitrary code execution in the context of the browser process; the issue has already been used in targeted attacks observed in the wild.

Mozilla's security advisory MFSA2020-03 and downstream notices from Ubuntu (USN-4335-1) and Gentoo (GLSA-202003-02) state that the only mitigation is to upgrade to the patched releases (Firefox 72.0.1 / ESR 68.4.1 and Thunderbird 68.4.1). No configuration workarounds are provided.

Packet Storm has published a public proof-of-concept that reproduces the type confusion in IonMonkey.

EU & UK References

Vulnerability details

Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and…

more

Firefox < 72.0.1.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 68.4.1 · ≤ 72.0.1
mozilla
thunderbird
≤ 68.4.1
canonical
ubuntu linux
16.04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant patches, which is the only remediation stated for CVE-2019-17026.

preventdetect

Requires mechanisms to detect and block malicious code delivered via web content that triggers the IonMonkey type-confusion flaw.

prevent

Mandates memory-protection safeguards that can block the unauthorized code execution resulting from the type-confusion memory corruption.

References