JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
The flaw affects the JIT component of the JavaScript engine, which compiles script code into machine instructions to accelerate execution. Incorrect compilation (miscompilation) can cause memory management errors, including buffer overflow (CWE-119), use of incorrect data types (CWE-843 — type confusion), and function call errors with incorrect argument types (CWE-686). An attacker can supply specially crafted JavaScript code which, after JIT compilation, generates incorrect instructions leading to arbitrary code execution.
A remote, unauthenticated attacker can potentially execute arbitrary code (RCE) in the context of the browser process or mail client, which may result in complete takeover of the application and compromise of the victim's system.
The software must be immediately updated to Firefox 146, Firefox ESR 140.6, Thunderbird 146, or Thunderbird 140.6, in which the vulnerability has been removed. Detailed information is available in Mozilla security advisories at mfsa2025-92, mfsa2025-94, mfsa2025-95, and mfsa2025-96.
Mozilla Firefox prior to version 146, Mozilla Firefox ESR prior to version 140.6, Mozilla Thunderbird prior to version 146, and Mozilla Thunderbird ESR prior to version 140.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 140.6.0< 146.0Mozilla Thunderbird
APPMozilla< 140.6.0< 146.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...