CVE-2019-9796 in Firefox
Summary
by MITRE
A use-after-free vulnerability can occur when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/26/2025
This vulnerability represents a classic use-after-free condition that arises from improper memory management within the browser's animation subsystem. The flaw occurs in the SMIL animation controller component where the system incorrectly performs duplicate registrations with the refresh driver mechanism. This double registration creates a scenario where the memory allocation for the animation controller's observer entry becomes invalid while still being referenced by the refresh driver's internal data structures. The issue manifests when the animation controller element is removed from the DOM, triggering the cleanup process that attempts to free the memory but leaves behind a dangling pointer in the observer array. This type of vulnerability falls under CWE-416 which specifically addresses use-after-free conditions, and it demonstrates the dangerous consequences of improper reference counting and memory lifecycle management in complex browser components.
The operational impact of this vulnerability is significant as it provides an attacker with a potential path to execute arbitrary code within the browser context. When the refresh driver attempts to notify its observers, it will access the dangling pointer, potentially leading to memory corruption that can be exploited through controlled data manipulation. The vulnerability affects multiple Mozilla products including Thunderbird and various Firefox versions, indicating a widespread impact across the browser ecosystem. The timing of the exploitation is particularly dangerous as it occurs during normal page rendering operations when animation controllers are actively managed. This aligns with ATT&CK technique T1059.007 which covers script-based execution, as the vulnerability can be triggered through malicious SMIL animation content that would normally be processed during page load.
The root cause stems from the refresh driver's observer management system failing to properly handle cases where duplicate registrations occur. When a single animation controller attempts to register twice with the refresh driver, the system's internal bookkeeping becomes inconsistent, leading to improper memory deallocation. The vulnerability is particularly insidious because it does not require special privileges or user interaction beyond normal browsing activities, making it a prime candidate for drive-by attacks. The memory corruption that results from accessing the dangling pointer can manifest in various ways including crashes, data corruption, or potentially full code execution depending on the specific memory layout and exploitation techniques employed. This vulnerability highlights the critical importance of proper memory management in browser components and the need for robust testing of edge cases in registration and deregistration scenarios. The fix for this vulnerability required modifications to the refresh driver's observer registration logic to prevent duplicate entries and ensure proper cleanup of all references when animation controllers are removed from the document.