Description
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
Published: 2025-07-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Partial stack value write in IonMonkey-JIT on 64-bit platforms
Action: Apply patch
AI Analysis

Impact

On 64‑bit platforms the IonMonkey JavaScript JIT writes only half of the 64‑bit return value onto the stack, while the baseline JIT reads the full 64 bits. This mismatch causes the return value that is read to not match what was written, potentially leading to inconsistent or incorrect behavior during script execution.

Affected Systems

The issue affects Mozilla Firefox and Thunderbird running on 64‑bit operating systems. Versions before the security updates are impacted: Firefox 141 and earlier, as well as the Firefox ESR releases 115.26, 128.13, and 140.1; and Thunderbird 141 and earlier, together with the Thunderbird ESR releases 128.13 and 140.1.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and an EPSS score of < 1 % suggests a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Likely attackers would need to inject or execute malicious JavaScript within the browser or mail client to trigger the IonMonkey JIT’s truncated write. No publicly disclosed exploits are available for this issue.

Generated by OpenCVE AI on April 22, 2026 at 01:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to 141 or a later ESR release (115.26, 128.13, 140.1) and upgrade Thunderbird to 141 or a later ESR release (128.13, 140.1).
  • Restart the updated browsers or mail client to ensure the patched binaries are running.
  • Restrict or disable third‑party extensions or scripts that inject JavaScript until the update is applied.

Generated by OpenCVE AI on April 22, 2026 at 01:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4250-1 firefox-esr security update
Debian DLA Debian DLA DLA-4253-1 thunderbird security update
Debian DSA Debian DSA DSA-5964-1 firefox-esr security update
Debian DSA Debian DSA DSA-5966-1 thunderbird security update
EUVD EUVD EUVD-2025-22372 On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: JavaScript engine only wrote partial return value to stack JavaScript engine only wrote partial return value to stack

Tue, 29 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: JavaScript engine only wrote partial return value to stack
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 28 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 23 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 21:00:00 +0000

Type Values Removed Values Added
Description On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:46.624Z

Reserved: 2025-07-22T10:13:47.266Z

Link: CVE-2025-8027

cve-icon Vulnrichment

Updated: 2025-11-03T20:07:44.121Z

cve-icon NVD

Status : Modified

Published: 2025-07-22T21:15:49.830

Modified: 2026-04-13T15:17:08.497

Link: CVE-2025-8027

cve-icon Redhat

Severity : Important

Publid Date: 2025-07-22T20:49:24Z

Links: CVE-2025-8027 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses