CVE-2023-43686: Malwarebytes Parser Denial of Service via Firefox Preference Files
Malwarebytes versions 4.x and 5.x contain a denial-of-service vulnerability triggered when a large number of Firefox preference files are present on a system. The parser becomes overwhelmed and stops processing other browser configuration files, effectively disabling Malwarebytes' ability to scan certain browser-based threats. This is a local issue requiring no special privileges to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.2 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-755
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). A large number of Firefox preference files can cause the parser to ignore other browser configuration files, leading to a denial of service.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2023-43686 is a parser resource exhaustion vulnerability (CWE-755) in Malwarebytes 4.x, 5.x, and Nebula (2020-10-21 and later). The vulnerability stems from insufficient handling of large Firefox preference file counts. When the parser encounters a volume of Firefox preference files exceeding its capacity, it fails to gracefully degrade and instead ceases processing other browser configuration files entirely. This results in incomplete browser security scanning and leaves gaps in threat detection coverage. The vulnerability carries a CVSS 3.1 score of 6.2 (MEDIUM severity) with a vector of AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating local attack surface, no authentication required, and high availability impact.
Business impact
Organizations relying on Malwarebytes for endpoint threat prevention face reduced effectiveness of browser-based malware detection on affected systems. An attacker or user with local access could potentially craft an environment with excessive Firefox preference files to disable scanning of other browser configurations, allowing malware or unwanted software to persist undetected in alternative browsers or browser profiles. While not a remote code execution vector, this availability impact undermines the core protective function of the product during active threat assessments or continuous monitoring scenarios.
Affected systems
Malwarebytes versions 4.x and 5.x are affected, along with Malwarebytes Nebula builds from 2020-10-21 onwards. Users should verify their specific version numbers against official Malwarebytes documentation to confirm exposure. Organizations using earlier 3.x versions or managed deployments through Nebula should confirm whether their build date falls within the vulnerable window.
Exploitability
This vulnerability requires local access to the affected system and no user interaction or elevated privileges. An attacker already positioned on a machine—such as a local user, insider, or through prior compromise—could trigger the denial of service by creating a large number of Firefox preference files. The low complexity and accessibility make it practical for an adversary to exploit if local access is obtained, though it does not enable remote compromise or privilege escalation by itself.
Remediation
Malwarebytes has addressed this issue in patched versions of 4.x, 5.x, and Nebula. Organizations should consult the official Malwarebytes advisory to identify the specific patch versions that remediate CVE-2023-43686 and apply them to all affected deployments. Until patches are applied, organizations may consider supplementary browser-specific security controls or endpoint detection and response (EDR) solutions to maintain visibility into browser-based threats.
Patch guidance
Check the Malwarebytes security advisory corresponding to CVE-2023-43686 for exact patch version numbers for your major version line (4.x, 5.x, or Nebula). Deploy patches through your organization's standard update management process, prioritizing systems in high-risk environments. Verify successful patch application by confirming version numbers post-update and spot-checking Firefox preference file handling on representative systems.
Detection guidance
Monitor Malwarebytes logs and system activity for signs of parser failures, including truncated browser configuration scans or incomplete scan reports that omit Firefox-related detections. On vulnerable systems, investigate whether users have accumulated unusually large numbers of Firefox preference files (particularly profile directories). EDR tools should track for suspicious creation of excessive Firefox profile or preference entries as a potential exploitation indicator. Post-patching, baseline normal browser scanning behavior to detect future anomalies.
Why prioritize this
While CVE-2023-43686 carries a MEDIUM CVSS score and does not enable remote exploitation, it directly degrades the protective function of Malwarebytes on local systems. Organizations should prioritize patching based on the scope of their Malwarebytes deployment, the prevalence of Firefox usage in their environment, and whether systems are exposed to untrusted local users. Endpoint protection is a critical control; even localized denial of service against it warrants timely remediation.
Risk score, explained
The CVSS 3.1 score of 6.2 reflects the availability impact (CWE-755 resource exhaustion) balanced against the local-only attack surface and lack of confidentiality or integrity compromise. An attacker cannot steal data or modify systems through this vector alone, but can prevent legitimate security scanning from functioning. The score appropriately captures the localized but meaningful threat to threat detection coverage.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2023-43686 requires local access to the affected system. An attacker must already have a presence on or authorized access to the machine to create the excessive Firefox preference files needed to trigger the parser failure.
Will this vulnerability allow an attacker to execute code or escalate privileges?
No. This is a denial-of-service vulnerability that disables browser configuration scanning. It does not provide code execution, privilege escalation, or data exfiltration capabilities on its own.
Do all versions of Malwarebytes require patching?
Only Malwarebytes 4.x, 5.x, and Nebula (build 2020-10-21 and later) are affected. Verify your installed version and consult the vendor advisory for the specific patch version applicable to your deployment.
What should I do if I cannot patch immediately?
Until patches are deployed, consider supplementary browser security controls, user access restrictions to prevent local file manipulation, and enhanced endpoint monitoring to detect anomalous browser configuration activity. Prioritize patching as soon as operationally feasible.
This analysis is based on public vulnerability data current as of the advisory publication date. Verify all patch version numbers, KEV status, and remediation guidance directly with Malwarebytes official advisories and security documentation before deploying to production. SEC.co does not provide warranty regarding the accuracy of third-party vendor information or the applicability of recommendations to your specific environment. Always conduct internal validation and testing before implementing patches or detection rules. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-40371HIGHMicrosoft Dynamics 365 On-Premises Privilege Escalation (CVSS 8.8 HIGH)
- CVE-2026-48524LOWPyJWT Denial of Service via Unlimited JWKS Requests
- CVE-2026-49235HIGHRoutinator RPKI Validator Denial of Service via Malicious RRDP Document
- CVE-2026-9516HIGHCpanel::JSON::XS Denial of Service via UTF-8 BOM and Filter Callbacks
- CVE-2016-20064MEDIUMWP Vault 0.8.6.6 Arbitrary File Read via Directory Traversal
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)