CRITICAL🇵🇱 Wersja polska

CVE-2026-2796

CVSS 9.8v3.1pub. 2026-02-24upd. 2026-06-30

JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

🤖 AI Analysis
How it works

The vulnerability consists of incorrect code compilation by the JIT engine during JavaScript/WebAssembly component processing — memory resources are read or written using an incompatible type (type confusion, CWE-843). An attacker can craft a malicious website or email message with embedded WebAssembly/JavaScript code, which when processed by the vulnerable engine leads to memory corruption. The vulnerability does not require user interaction beyond standard content opening, and exploitation can be performed remotely over the network.

Impact

Successful exploitation of this vulnerability may allow an attacker to gain full control over the browser or mail client process, including reading and modifying data as well as potential arbitrary code execution (RCE) in the context of the logged-in user.

Mitigation & patch

Mozilla Firefox should be immediately updated to version 148 or later, and Mozilla Thunderbird should be updated to version 148 or later, in which the vulnerability has been patched. Details are available in Mozilla security advisories: mfsa2026-13 and mfsa2026-16.

Who is affected

Mozilla Firefox in versions prior to 148 and Mozilla Thunderbird in versions prior to 148.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 148.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 148.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...