Mozilla Firefox 72.0.1 Patches Actively Exploited Zero-Day

Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1 to patch a critical and actively exploited severity vulnerability that could potentially allow attackers to execute code or trigger crashes on machines running vulnerable Firefox versions.

As Mozilla's security advisory says, the Firefox developers are "aware of targeted attacks in the wild abusing this flaw" which could make it possible for attackers who successfully exploit it to abuse affected systems.

The Firefox and Firefox ESR zero-day flaw fixed by Mozilla was reported by a research team from Qihoo 360 ATA. 

BleepingComputer has reached out to the Qihoo 360 ATA researchers for additional details but had not heard back at the time of this publication.

Mozilla Firefox 72.0.1

The type confusion vulnerability tracked as CVE-2019-17026 impacts the web browser's IonMonkey Just-In-Time (JIT) compiler and it occurs when incorrect alias information is fed for setting array elements.

This type of security flaw can lead to out-of-bounds memory access in languages without memory safety which, in some circumstances, can lead to code execution or exploitable crashes.

Potential attackers could trigger the type confusion flaw by redirecting users of unpatched Firefox versions to maliciously crafted web pages.

CVE-2019-17026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert saying that "an attacker could exploit this vulnerability to take control of an affected system," and advising users to review the Mozilla Security Advisory and apply the security update.

While there is no other info related to this 0-day flaw, all users should install the patched Firefox release by manually checking for the new update by going to the Firefox menu -> Help -> About Firefox.

You can also download the latest patched version for Windows, macOS, and Linux from the following links:

This security patch comes a day after Firefox 72.0 was released with fixes for another 11 security vulnerabilities, give of them being classified as 'High', five classified as 'Medium', and one as 'Low'.

Of the five high severity vulnerabilities, four could potentially be used by attackers for arbitrary code execution after leading victims to specially crafted malicious pages.

In June 2019, Mozilla patched two other actively exploited zero-day vulnerabilities used in targeted attacks against cryptocurrency firms such as Coinbase.

Picus Blue Report 2025

Picus Blue Report 2025 is Here: 2X increase in password cracking

46% of environments had passwords cracked, nearly doubling from 25% last year.

Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.

Related Articles:

FreePBX servers hacked via zero-day, emergency fix released

Apple fixes new zero-day flaw exploited in targeted attacks

Elastic rejects claims of a zero-day RCE flaw in Defend EDR

Microsoft August 2025 Patch Tuesday fixes one zero-day, 107 flaws

Android gets patches for Qualcomm flaws exploited in attacks