CVE-2010-0166 in Firefox
Summary
by MITRE
The gfxTextRun::SanitizeGlyphRuns function in gfx/thebes/src/gfxFont.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 on Mac OS X, when the Core Text API is used, does not properly perform certain deletions, which allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via an HTML document containing invisible Unicode characters, as demonstrated by the U+FEFF, U+FFF9, U+FFFA, and U+FFFB characters.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/03/2026
The vulnerability identified as CVE-2010-0166 represents a critical memory corruption flaw within Mozilla Firefox's text rendering engine on macOS systems. This issue specifically affects Firefox versions 3.6 prior to 3.6.2 when utilizing the Core Text API for text processing. The vulnerability stems from improper handling of certain Unicode characters during the sanitization process of glyph runs, creating a pathway for malicious exploitation that can result in both denial of service conditions and potential arbitrary code execution.
The technical flaw manifests in the gfxTextRun::SanitizeGlyphRuns function located within the gfx/thebes/src/gfxFont.cpp file of Firefox's browser engine. When the Core Text API is employed for text rendering on Mac OS X, this function fails to properly manage memory deallocations during the processing of invisible Unicode characters. The affected characters include U+FEFF (zero width no-break space), U+FFF9 (interlinear annotation anchor), U+FFFA (interlinear annotation separator), and U+FFFB (interlinear annotation terminator). These characters are particularly dangerous because they are invisible to users but can trigger memory corruption when processed through the browser's text rendering pipeline.
The operational impact of this vulnerability extends beyond simple application crashes to potentially enable remote code execution in targeted scenarios. Attackers can craft HTML documents containing these specific Unicode characters to trigger the memory corruption bug, leading to unpredictable application behavior including crashes, memory corruption, and in some cases arbitrary code execution. The vulnerability's exploitation requires a remote attacker to deliver a malicious webpage containing the specially crafted invisible Unicode characters, making it particularly dangerous for web-based attacks.
This vulnerability aligns with CWE-125, which describes "Out-of-bounds Read" conditions, and CWE-129, which covers "Improper Validation of Array Index." The flaw demonstrates characteristics consistent with memory corruption vulnerabilities that can be leveraged through the ATT&CK framework's T1059.007 technique for process injection and T1499.004 for network denial of service. The exploitation of this vulnerability requires the attacker to understand the specific text rendering behavior of Firefox's Core Text API implementation and the precise memory layout of the affected function's handling of Unicode character sequences.
The mitigation strategy for this vulnerability involves immediate patching of Firefox installations to version 3.6.2 or later, which contains the necessary fixes for the memory management issues in the SanitizeGlyphRuns function. System administrators should also consider implementing web content filtering measures to block access to known malicious domains that might serve exploit payloads. Additionally, users should be educated about the risks of visiting untrusted websites and the importance of keeping browser software updated. The vulnerability highlights the importance of proper memory management in text rendering engines and demonstrates why Unicode character validation is critical in browser security implementations.