Description
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published: 2026-06-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a JIT miscompilation within the JavaScript: WebAssembly component of Mozilla’s software. It can lead to incorrect program behavior or crashes when executing WebAssembly code. The associated weakness falls under CWE‑670 and CWE‑733, indicating a problem with just‑in‑time compilation or runtime binding.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Versions earlier than Firefox 152 and Thunderbird 152 contain the bug; the issue was addressed in the 152 releases of both products.

Risk and Exploitability

The CVSS score of 5.4 classifies the vulnerability as moderate severity. The EPSS score of less than 1 % suggests that exploitation is unlikely, and the issue is not listed in CISA’s KEV catalog. The likely attack vector involves execution of user‑controlled WebAssembly code in a browser, requiring an active user session or malicious web page. Exploitation would be confined to the local environment of the compromised browser instance and would primarily result in crashes or incorrect behavior rather than remote code execution.

Generated by OpenCVE AI on June 25, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Firefox 152 or newer to obtain the fix.
  • Update to Thunderbird 152 or newer to obtain the fix.
  • If an upgrade cannot be performed immediately, disable WebAssembly execution in browser settings or via enterprise policy to reduce the attack surface.

Generated by OpenCVE AI on June 25, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:45:00 +0000


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152. JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
References

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-670
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152.
Title JIT miscompilation in the JavaScript: WebAssembly component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T16:08:42.470Z

Reserved: 2026-06-15T15:08:19.456Z

Link: CVE-2026-12321

cve-icon Vulnrichment

Updated: 2026-06-16T15:11:27.444Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:32.823

Modified: 2026-06-16T20:41:27.217

Link: CVE-2026-12321

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-16T11:52:54Z

Links: CVE-2026-12321 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:30:15Z

Weaknesses
  • CWE-670

    Always-Incorrect Control Flow Implementation

  • CWE-733

    Compiler Optimization Removal or Modification of Security-critical Code