Finding and Exploiting 20-Year-Old Bugs in Web Browsers
Ivan Fratric
OffensiveCon 2025 · Day 1 · Main
Ivan Fratric of Google Project Zero audited the XSLT processing engines embedded in all major web browsers and discovered multiple use-after-free and memory corruption vulnerabilities, some dating back over 20 years — predating Firefox 1.0. The root cause across most findings is that XSLT parsers were written assuming single-threaded, non-reentrant execution, while browsers have since made JavaScript callable during XSLT transformation, turning virtually every DOM interaction mid-parse into a potential use-after-free. At least one full working exploit against a current browser was demonstrated. ---
AI review
Fratric audited XSLT engines across all major browsers, found 20-year-old use-after-free bugs in Firefox that predate Firefox 1.0, identified a structural reentrancy bug class that produces UAFs wherever JavaScript can execute during XSLT transformation, built a grammar-based fuzzer that hit LibXSLT bugs affecting every Chromium-family browser simultaneously, and demonstrated a working RCE exploit. Full browser coverage. This is what a systematic research program looks like.