Projects Blog Music Contact
← All Posts
Security February 24, 2026

How a Single-Character Typo in Firefox Led to Remote Code Execution

By: Evgeny Padezhnov

Illustration for: How a Single-Character Typo in Firefox Led to Remote Code Execution

Software development requires precision. A misplaced character can crash applications, corrupt data, or create security vulnerabilities. In January 2026, Firefox developers learned this lesson when a single-character typo—using & instead of |—opened the door to remote code execution in millions of browsers.

The Million-Dollar Typo: & vs |

According to cybersecuritynews.com, the vulnerability originated in Firefox's SpiderMonkey JavaScript engine. A developer working on WebAssembly garbage collection typed & (bitwise AND) instead of | (bitwise OR) in the file js/src/wasm/WasmGcObject.cpp. The erroneous line read:

oolHeaderOld->word = uintptr_t(oolHeaderNew) & 1;

The correct version should have been:

oolHeaderOld->word = uintptr_t(oolHeaderNew) | 1;

This single character difference completely changed the operation's outcome. Bitwise OR with 1 sets the least significant bit to 1. Bitwise AND with 1 isolates only that bit, yielding 0 for aligned pointers. The result: Firefox stored null values instead of properly tagged forwarding pointers.

As noted in meterpreter.org, the vulnerability was introduced via commit fcc2f20e35ec on January 19, 2026. The typo passed through initial code reviews because bitwise operations are syntactically valid even when logically incorrect. Modern compilers don't catch this type of semantic error.

The bug affected the WasmArrayObject::obj_moved() function, which handles memory when WebAssembly arrays move during garbage collection. This function must ensure the least significant bit (LSB) of forwarding pointers is set to 1. The typo broke this critical invariant.

WebAssembly Garbage Collection: Where Things Went Wrong

Understanding the vulnerability requires examining Firefox's WebAssembly implementation. WebAssembly (Wasm) allows running compiled code in browsers at near-native speed. Firefox's SpiderMonkey engine manages Wasm memory through garbage collection, automatically reclaiming unused memory.

The vulnerability specifically affected out-of-line (OOL) WebAssembly arrays. SpiderMonkey stores small arrays inline within objects. Larger arrays use separate memory allocations—out-of-line storage. The engine uses pointer tagging to distinguish between these storage types.

According to the security analysis, the isDataInline() function checks if (headerWord & 1) == 0 to determine inline storage. Setting the LSB to 1 marks arrays as out-of-line. The typo caused the system to store zero instead of the tagged pointer, making OOL arrays appear inline.

This mismatch created divergent interpretations between the garbage collector and JIT compiler. The garbage collector treated relocated arrays as inline while the JIT compiler expected out-of-line data. This type confusion enabled memory corruption.

The scope limitation proved crucial: the vulnerability only affected WebAssembly functions optimized by Ion, Firefox's advanced JIT compiler. The Baseline compiler remained unaffected because it doesn't employ the same stack frame update mechanism.

From Typo to Full System Compromise

Security researcher Erge discovered the vulnerability while examining Firefox 149 Nightly source code for CTF challenge inspiration. The discovery process highlights how manual code review catches subtle bugs automated tools miss.

According to threatlabsnews.xcitium.com, the type confusion flaw granted attackers "primitive read/write access" to memory. Exploitation required several steps:

  1. Trigger the type confusion through crafted WebAssembly code
  2. Leverage the mismatch to read/write arbitrary memory locations
  3. Build reliable exploitation primitives
  4. Achieve code execution within the renderer process

The vulnerability's impact extended beyond simple crashes. Successful exploitation enabled:

Key point: The vulnerability required no user interaction beyond visiting a malicious webpage. Attackers could embed exploit code in advertisements, compromised websites, or phishing pages.

The refactoring context matters. The typo occurred during WebAssembly Garbage Collection array metadata refactoring. Refactoring often introduces bugs as developers modify working code. Code reviews during refactoring focus on architectural changes, potentially missing subtle implementation errors.

Lessons for Secure Development Practices

The Firefox typo offers several lessons for development teams. Static analysis tools failed to catch this bug because the code remained syntactically valid. Bitwise operations compile correctly regardless of logical intent.

Proven approach: Implement multiple layers of bug detection:

  1. Unit tests for critical operations: Test forwarding pointer mechanics explicitly. Verify bit manipulation produces expected results. Check edge cases like zero values.

  2. Fuzzing WebAssembly implementations: Run continuous fuzzing on Wasm code paths. Target garbage collection scenarios specifically. Monitor for type confusion vulnerabilities.

  3. Code review checklists: Flag all bitwise operations for extra scrutiny. Require explicit comments explaining bit manipulation logic. Compare against design specifications.

  4. Runtime assertions: Add debug-mode checks for invariants. Verify pointer tagging consistency. Detect mismatched type interpretations early.

Common mistake: Assuming syntax checkers catch all errors. Semantic bugs require different detection strategies. The Firefox vulnerability passed through initial reviews precisely because it looked correct.

Development teams should treat memory management code as security-critical. WebAssembly implementations deserve particular attention given their complexity and attack surface. A single character in garbage collection logic compromised millions of browsers.

In practice, organizations need systematic approaches to prevent similar vulnerabilities. Mozilla's response included patching the specific bug and reviewing related code paths. The incident triggered broader discussions about WebAssembly security models.

Technical Deep Dive: Understanding Pointer Tagging

Pointer tagging optimizes memory usage and type information storage. Systems encode metadata in unused pointer bits. On 64-bit systems, pointers rarely use all available bits. The least significant bits often remain available for tagging.

Firefox's implementation uses the LSB to distinguish array storage types. Setting this bit to 1 indicates out-of-line storage. The typo disrupted this tagging scheme, causing cascading failures.

The vulnerability mechanics reveal subtle interactions between components:

  1. Garbage collector expectations: GC code expects forwarding pointers with LSB set to 1. The typo produced null values instead.

  2. JIT compiler assumptions: Ion's optimized code assumes correct pointer tagging. Mismatched assumptions led to memory corruption.

  3. Runtime behavior divergence: Different engine components interpreted memory layout differently. This divergence enabled exploitation.

Proven approach: Design pointer tagging schemes with explicit validation. Include runtime checks in debug builds. Document tagging invariants clearly. Test tag manipulation thoroughly.

The incident also highlights refactoring risks. Modifying low-level memory management code requires extreme care. Even experienced developers make mistakes when updating complex systems.

Industry Impact and Response

The Firefox vulnerability demonstrates modern browser complexity. Millions of lines of code interact through intricate interfaces. A single character error in one subsystem compromises the entire application.

Browser vendors responded by increasing WebAssembly security scrutiny. Chrome and Safari teams reviewed their implementations for similar issues. The incident prompted industry-wide discussions about memory safety.

Key point: WebAssembly's power comes with security responsibilities. Near-native performance requires careful implementation. Garbage collection adds another layer of complexity.

Security researchers gained valuable insights from this vulnerability. The bug class—type confusion through incorrect pointer tagging—applies beyond Firefox. Similar issues could affect other software using tagged pointers.

If it works—it is correct. But working code isn't necessarily secure code. The Firefox vulnerability functioned correctly in many scenarios. Only specific WebAssembly patterns triggered the exploitable condition.

Organizations should implement defense-in-depth strategies. Browser sandboxing limited the vulnerability's impact. Process isolation prevented complete system compromise. These architectural decisions matter when bugs inevitably occur.

Frequently Asked Questions

What exactly was the Firefox typo that caused the vulnerability?

A developer typed & (bitwise AND) instead of | (bitwise OR) in WebAssembly garbage collection code. The typo occurred in file js/src/wasm/WasmGcObject.cpp on January 19, 2026. This single character change caused Firefox to store null values instead of properly tagged forwarding pointers, creating an exploitable type confusion vulnerability.

Could automated tools have caught this vulnerability?

Standard static analysis and compilers couldn't catch this bug because the code remained syntactically valid. Bitwise AND operations compile correctly even when logically wrong. Detection requires semantic analysis, comprehensive testing of memory tagging logic, or manual code review by security experts familiar with the codebase.

How severe was the security impact of this typo?

The vulnerability enabled complete remote code execution within Firefox. Attackers could steal session cookies, access credentials including SSO tokens, read data from other browser tabs, and potentially escape the browser sandbox to install malware. No user interaction was required beyond visiting a malicious webpage.

Are other browsers affected by similar vulnerabilities?

This specific vulnerability only affected Firefox's SpiderMonkey engine. However, the bug class—type confusion through pointer tagging errors—could theoretically affect any software using similar techniques. Chrome, Safari, and other browsers use different WebAssembly implementations but face similar complexity challenges.

Conclusion

A single character—one bitwise operator—created a critical security vulnerability affecting millions of Firefox users. The incident underscores fundamental truths about software security. Complex systems fail in unexpected ways. Manual code review catches bugs automated tools miss. Defense-in-depth strategies limit damage when vulnerabilities occur. Development teams must treat every character in security-critical code as potentially dangerous. The Firefox typo serves as a permanent reminder that in software development, the smallest details carry the greatest risks.

Squeeze AI
  1. A single-character typo in Firefox's SpiderMonkey engine—using bitwise AND (&) instead of OR (|)—caused the engine to store null values instead of properly tagged forwarding pointers, bypassing a critical memory safety invariant and enabling remote code execution.
  2. The typo created a type confusion vulnerability where the garbage collector and JIT compiler had divergent interpretations of WebAssembly array storage location (inline vs out-of-line), allowing attackers to corrupt memory and achieve arbitrary code execution.
  3. Modern compilers fail to catch semantic errors in bitwise operations that are syntactically valid, meaning such vulnerabilities can pass code review and reach production without automated detection.

Squeezed by b1key AI