Study how a use-after-free bug in Firefox's JavaScript engine was exploited.
Learn browser exploitation techniques from a real, patched vulnerability.
Research how WebAssembly GC memory handling can be abused.
Reference the CVE-2026-8390 writeup when analyzing similar browser bugs.
| kiddo-pwn/ffffirefox | polyhelper/polyhelper | stephengrider/coffeescript-ionic-starter | |
|---|---|---|---|
| Stars | 64 | 65 | 63 |
| Language | JavaScript | JavaScript | JavaScript |
| Last pushed | — | — | 2015-03-30 |
| Maintenance | — | — | Dormant |
| Setup difficulty | hard | hard | moderate |
| Complexity | 5/5 | 4/5 | 2/5 |
| Audience | researcher | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires a specific unpatched Firefox 150 build to reproduce, patched in 150.0.3.
FFFFirefox is a published proof-of-concept exploit for a security vulnerability in the Firefox web browser, specifically targeting version 150. The bug, tracked as CVE-2026-8390, was originally created as a competition entry for Pwn2Own Berlin 2026, a well-known hacking contest where security researchers attempt to break into software for cash prizes. The author released the code publicly after Mozilla patched the vulnerability in Firefox 150.0.3. The underlying bug is a memory safety issue called a use-after-free. This happens when a program frees a block of memory but then accidentally continues to use a pointer to that now-freed location. In this case, the bug is in Firefox's JavaScript engine (called Ion) and its handling of WebAssembly GC (a relatively new feature that lets WebAssembly code manage objects with automatic memory management). Ion cached a pointer to source data while a garbage collector run could free that memory in between, and a memory spray technique was used to place attacker-controlled data in the freed location. From there, standard browser exploitation techniques were used to achieve arbitrary code execution, meaning the attacker's code runs with the browser's permissions. This repository is of interest primarily to security researchers and browser engineers studying how browser vulnerabilities are discovered and exploited. It is not intended for general use. The vulnerability is patched in Firefox 150.0.3 and later.
A published proof-of-concept exploit for a patched Firefox use-after-free vulnerability, released after the bug was fixed and used at a hacking competition.
Mainly JavaScript. The stack also includes JavaScript.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.