On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
The `br_table` instruction in WebAssembly (WASM) handles jumps to multiple labels. On the arm64 platform, the JIT compiler generates machine code in which the target label may be located too far from the jump instruction, exceeding the range allowed by the architecture. This causes truncation — address truncation — and as a result, an incorrect branch address calculation. An incorrectly determined jump address can lead to execution of unintended code or corruption of the runtime environment's memory state.
An attacker can cause unpredictable code execution in the context of the browser or mail client, which with the vulnerability classified as CWE-1332 (insufficient processor instruction safeguards) poses a risk of breach of confidentiality, integrity, and system availability.
Software must be updated to versions: Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, or Thunderbird 140.1. Details are available in Mozilla security advisories (MFSA2025-56, MFSA2025-57, MFSA2025-58, MFSA2025-59).
Mozilla Firefox before version 141, Firefox ESR before versions 115.26, 128.13, and 140.1, Mozilla Thunderbird before version 141, Thunderbird before versions 128.13 and 140.1 — only on devices with arm64 architecture.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 115.26.0< 141.0128.0 – 128.13.0 (bez)140.0 – 140.1.0 (bez)Mozilla Thunderbird
APPMozilla< 128.13.0< 141.0140.0 – 140.1.0 (bez)
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...