search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Mozilla denial of service vulnerability

Vulnerability Note VU#427972

Original Release Date: 2007-01-09 | Last Revised: 2007-06-04


Certain Mozilla products contain a denial-of-service vulnerability.


Certain Mozilla products contain a denial-of-service vulnerability that occurs because of an infinite loop in the js_dtoa function. Mozilla Firefox versions prior to, Thunderbird prior to, and other Mozilla products may be affected.

According to Mozilla Foundation Security Advisory 2006-68:
Keith Victor reported that if the floating point precision of the CPU was reduced (which can happen on windows by loading a plugin which creates a Direct3D device) then it is possible that js_dtoa() will not exit and instead overwrite memory. None of the most common plugins in use do this which lowers the overall impact of this vulnerability to moderate.


A remote unauthenticated attacker may be able to cause a denial-of-service condition.



The Mozilla Foundation has released upgrades that address this issue. See Mozilla Foundation Security Advisory 2006-68 for more information.

Vendor Information


Mozilla Affected

Updated:  December 21, 2006



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


See Mozilla Foundation Security Advisory 2006-68.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to Igor Bukanov, Jesse Ruderman, moz_bug_r_a4, Mozilla for providing information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2006-6499
Severity Metric: 0.30
Date Public: 2006-12-19
Date First Published: 2007-01-09
Date Last Updated: 2007-06-04 14:16 UTC
Document Revision: 42

Sponsored by CISA.