Recompiling the regular expression pattern during a replace can cause the code to reuse a freed string, but only if the string is freed from the cache by allocating and freeing a number of strings of certain size. CVE-2015-2482: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2482 ZDI-15-515: http://www.zerodayinitiative.com/advisories/ZDI-15-515/ MS15-108: https://technet.microsoft.com/en-us/library/security/MS15-108 Repro: Repro-in-a-tweet: https://twitter.com/berendjanwever/status/654048253047140352 Cheers, SkyLined Follow me on twitter for a new browser bug every* day! https://twitter.com/berendjanwever (* might be more than one some days)