Description
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
Published: 2025-12-09
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential arbitrary native code execution
Action: Apply Patch
AI Analysis

Impact

The flaw is a miscompilation bug in the JavaScript engine’s JIT component, leading to incorrect machine code generation. Based on the nature of JIT miscompilation, the vulnerability could permit execution of arbitrary native code, but this impact is inferred from the description. The weakness relates to CWE‑843 (data conversion errors) and CWE‑94 (code injection).

Affected Systems

Mozilla products are affected, specifically Firefox and Thunderbird, including their ESR branches. Versions before Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird ESR 140.6 are vulnerable.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity, while the EPSS score of less than 1 % suggests a low probability of exploitation currently. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is delivery of malicious JavaScript through a web page or webmail interface, inferred from the vulnerability affecting a JavaScript engine. Exploitation would require the attacker to supply crafted JavaScript to the victim’s machine, which may be achieved via compromised websites or phishing emails. No public exploit is available, and the low EPSS score mitigates immediate threat, but the high severity warrants prompt remediation.

Generated by OpenCVE AI on April 20, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 146 or later, or to the ESR 140.6 release series.
  • Update Thunderbird to version 146 or later, or to the ESR 140.6 release series.
  • As an interim measure, apply strict content security policies or sandboxing to limit execution of untrusted JavaScript if an upgrade cannot be performed immediately.

Generated by OpenCVE AI on April 20, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4401-1 firefox-esr security update
Debian DLA Debian DLA DLA-4405-1 thunderbird security update
Debian DSA Debian DSA DSA-6078-1 firefox-esr security update
Debian DSA Debian DSA DSA-6081-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

Wed, 07 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843

Wed, 10 Dec 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 10 Dec 2025 14:45:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146 and Firefox ESR < 140.6. JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
References

Wed, 10 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 09 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 13:45:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146 and Firefox ESR < 140.6.
Title JIT miscompilation in the JavaScript Engine: JIT component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:25:35.644Z

Reserved: 2025-12-09T13:37:58.128Z

Link: CVE-2025-14325

cve-icon Vulnrichment

Updated: 2025-12-09T17:03:49.043Z

cve-icon NVD

Status : Modified

Published: 2025-12-09T16:17:40.010

Modified: 2026-04-13T15:16:45.593

Link: CVE-2025-14325

cve-icon Redhat

Severity : Important

Publid Date: 2025-12-09T13:37:58Z

Links: CVE-2025-14325 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses