One Tiny Typo, One Giant Exploit: Firefox’s 0‑Day RCE

In software development, a single character can mean the difference between secure code and catastrophic compromise. Mozilla Firefox recently faced this reality when a critical Remote Code Execution (RCE) vulnerability was discovered in its SpiderMonkey JavaScript engine—all because of a single typo: & instead of |.

How the Bug Happened

• Commit fcc2f20e35ec (Jan 19, 2026) introduced the flaw during refactoring of WebAssembly GC array metadata.
• The line mistakenly read:cppoolHeaderOld->word = uintptr_t(oolHeaderNew) & 1; instead of:cppoolHeaderOld->word = uintptr_t(oolHeaderNew) | 1;
• This caused the garbage collector to store 0 instead of a forwarding pointer, misclassifying out‑of‑line arrays as inline.
• Result: memory corruption and a pathway to exploitation.

Exploitation Chain

Security researcher Erge developed a proof‑of‑concept exploit that achieved full RCE by:

1. Triggering garbage collection to store 0 in the forwarding pointer.
2. Ion JIT misidentified arrays as inline, returning old memory addresses.
3. Created a use‑after‑free (UAF) condition.
4. Heap spraying reclaimed freed memory with controlled values.
5. Achieved arbitrary read/write primitives.
6. Bypassed ASLR with sprayed objects containing relative pointers.
7. Overwrote a vtable to hijack execution flow.
8. Spawned a shell (/bin/sh) via system() call.

Disclosure & Response

• Jan 19, 2026 → Vulnerability introduced.
• Feb 3, 2026 → Bugs filed by independent researchers.
• Feb 9, 2026 → Fixed via commit 05ffcde.
• Feb 11, 2026 → Security bounty split between discoverers.

Importantly, the flaw only affected Firefox 149 Nightly builds and never reached stable releases—preventing widespread exploitation. Mozilla’s rapid response ensured the issue was contained.

Lessons Learned

• Tiny mistakes matter: A single character typo can cascade into full system compromise.
• Code reviews are critical: Automated checks and peer reviews must catch subtle errors.
• Nightly builds are high‑risk: They’re essential for innovation but require strict monitoring.
• Security culture: Rewarding researchers reinforces the importance of responsible disclosure.

Final Thought

The Firefox 0‑Day RCE is a stark reminder that software security lives in the details. One misplaced operator turned into a full exploit chain capable of spawning shells. For developers and organizations alike, the takeaway is clear: precision, peer review, and proactive security practices are non‑negotiable.