Impact
JIT miscompilation occurs in the DOM: Core & HTML component, causing the just‑in‑time compiler to generate incorrect machine code for certain JavaScript execution paths. The flaw involves an improper conversion of data (CWE‑843) and may also stem from a missing default case in switch handling (CWE‑733). The resulting undesired execution behavior could enable an attacker to run non‑intended code within the browser or email client process.
Affected Systems
Mozilla Firefox versions 152 and the ESR branches 140.12 and 115.37, and Mozilla Thunderbird versions 152 and the ESR branch 140.12 are affected. Any client running these releases or older ones is vulnerable.
Risk and Exploitability
The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the nature of the JIT miscompilation, the likely attack vector involves a malicious web page or embedded content that executes JavaScript, though this is inferred from the description and not verified by any exploitation evidence.
OpenCVE Enrichment
Debian DLA
Debian DSA