CVE-2010-3765

What is Mozilla Firefox and the Gecko Rendering Engine?

Mozilla Firefox is a widely used open-source web browser built on the Gecko layout engine — the rendering engine responsible for parsing HTML, CSS, and JavaScript and displaying web content. Gecko's CSS rendering subsystem includes nsCSSFrameConstructor, the component that translates CSS styles and DOM structure into Gecko's internal "frame tree" used for layout and rendering. The CSS frame construction process manages complex dynamic scenarios including DOM mutations — additions, removals, and rearrangements of page elements triggered by JavaScript. In 2010, Firefox 3.5 and 3.6 were the dominant Firefox releases, used on hundreds of millions of computers globally.

Overview

CVE-2010-3765 is a critical-severity memory corruption vulnerability (CWE-119, CVSS 9.8) in Mozilla Firefox, SeaMonkey, and Thunderbird. When JavaScript is enabled, a specially crafted web page can trigger memory corruption in nsCSSFrameConstructor::ContentAppended() via the appendChild DOM manipulation method, leading to exploitable memory corruption and arbitrary code execution. This vulnerability was exploited as a zero-day before Mozilla released Firefox 3.6.12 and 3.5.15 via MFSA 2010-73. Notably, CISA added this 2010 vulnerability to the KEV catalog in October 2025 — indicating confirmed exploitation of legacy Firefox installations more than 15 years after the original patch.

Affected Versions

Note: All Mozilla Firefox versions prior to the current stable release are end-of-life. Firefox 3.x has been unsupported for over a decade.

Technical Details

The memory corruption vulnerability (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) exists in Gecko's CSS frame construction subsystem. When JavaScript calls appendChild() to add a DOM node to a document, Gecko's nsCSSFrameConstructor::ContentAppended() is invoked to update the visual frame tree to reflect the new DOM structure.

The vulnerability involves incorrect index tracking during frame construction when content is appended in specific sequences. The frame constructor maintains internal index state tracking which frames correspond to which DOM nodes; under certain conditions — involving specific CSS styles and the sequence of appendChild operations — the index calculations produce an incorrect offset. This incorrect index is subsequently used to access the frame list, resulting in an out-of-bounds memory access.

The corrupted memory access can be leveraged to achieve controlled writes to attacker-specified memory locations, enabling reliable code execution. The critical CVSS score (9.8) reflects that exploitation requires only JavaScript execution in a browser — no authentication, no user interaction beyond visiting a web page — and provides full code execution at the user's privilege level.

Discovery

Reported by security researchers who identified active in-the-wild exploitation. Mozilla issued MFSA 2010-73 as an out-of-band emergency release specifically for this vulnerability — releasing Firefox 3.6.12 and 3.5.15 within approximately nine days of the first exploitation reports. The rapid patch release reflected Mozilla's emergency response procedures for zero-day vulnerabilities with confirmed active exploitation.

Exploitation Context

Firefox zero-days were valuable attack tools in 2010, and the 2025 KEV addition reveals continued exploitation:

• 2010 drive-by exploitation: The zero-day exploitation before the patch suggests well-resourced actors targeting Firefox users via malicious websites — drive-by downloads that silently installed malware when users visited compromised or attacker-controlled pages.
• High Firefox market share: Firefox was a leading browser in 2010 with roughly 30% market share, meaning a Firefox zero-day had access to hundreds of millions of potential targets globally.
• 2025 KEV addition — legacy installations: CISA's October 2025 KEV addition for a 2010 vulnerability is extraordinary. It indicates that legacy Firefox 3.x installations remained in use somewhere in critical infrastructure — likely in embedded systems, kiosks, SCADA workstations, or air-gapped environments where software updates were infrequent or restricted.
• SCADA and ICS environment exposure: Industrial control systems and embedded computers with fixed, older software stacks sometimes run decade-old browser versions for web-based HMI interfaces. These systems may have been the target of the continued exploitation that prompted the 2025 KEV addition.
• Thunderbird exposure with scripting: Thunderbird with JavaScript-enabled email rendering was also affected — malicious HTML emails could trigger the vulnerability without browser interaction.

Remediation

1. Upgrade Mozilla Firefox: Firefox 3.x is end-of-life and has been for over a decade. Upgrade to the current stable Firefox release (Firefox 130+) or switch to another modern browser.
2. Upgrade SeaMonkey and Thunderbird: If running legacy versions, upgrade to current supported releases.
3. Disable JavaScript in legacy systems: If a legacy Firefox installation cannot be replaced (e.g., embedded in industrial equipment), disable JavaScript execution where feasible.
4. Inventory and remediate legacy browsers: Audit all systems for browser versions and prioritize replacement of end-of-life browser installations.
5. Network segmentation: Systems running legacy software should be isolated from direct internet access and protected by next-generation firewalls with web content inspection.