Description
Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Published: 2026-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from a miscompilation in the Just‑In‑Time compiler of the JavaScript engine, which permits a user to read memory content that should not be accessible. This leads to local information disclosure and is classified as CWE-200 and CWE-843, reflecting improper information exposure and the use of data for unintended purposes.

Affected Systems

The issue affects Mozilla Firefox and Thunderbird, including their ESR branches, on all versions released before Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird ESR 140.8. Users on these earlier builds are susceptible to the disclosed flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5 and an EPSS score of less than 1 percent, indicating a moderate severity but low probability of exploitation at this time. It does not appear in the CISA KEV catalog. The likely attack vector involves malicious JavaScript executed in a web page or email, enabling a local or remote attacker to trigger the JIT miscompilation. Based on the description, the attack requires the victim to render malicious content, though further details are not explicitly provided.

Generated by OpenCVE AI on April 15, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of Firefox or Thunderbird that includes the fix (Firefox 148 or newer, Firefox ESR 140.8 or newer, Thunderbird 148 or newer, Thunderbird ESR 140.8 or newer).
  • If an update cannot be applied immediately, disable JavaScript execution or the JIT engine in the browser or email client settings to reduce the risk of exploitation.
  • Continuously monitor Mozilla’s security advisories and update the software as soon as newer patches become available.

Generated by OpenCVE AI on April 15, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4495-1 thunderbird security update
Debian DLA Debian DLA DLA-4496-1 firefox-esr security update
Debian DSA Debian DSA DSA-6148-1 firefox-esr security update
Debian DSA Debian DSA DSA-6152-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Thu, 26 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 25 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8. Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
References

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Title Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:53:30.360Z

Reserved: 2026-02-19T15:06:17.478Z

Link: CVE-2026-2783

cve-icon Vulnrichment

Updated: 2026-02-26T20:09:40.700Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:26.747

Modified: 2026-04-13T15:17:26.120

Link: CVE-2026-2783

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T13:33:16Z

Links: CVE-2026-2783 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses