Description
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
Published: 2026-02-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a miscompilation in the Just‑In‑Time compiler for the WebAssembly component of Mozilla products. The flaw is classified as CWE‑843, indicating a type confusion that can lead to unintended type handling, memory corruption, and ultimately arbitrary code execution. An attacker who can deliver malicious WebAssembly code to a vulnerable installation could gain full control over the affected process, compromising confidentiality, integrity and availability of the system.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Specified affected versions are any releases prior to Firefox 148 and Thunderbird 148. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 9.8 signals very high severity. The EPSS score of less than 1% suggests a low probability of widespread exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. Nonetheless, the lack of publicly disclosed exploits does not reduce the risk inherent in a high‑severity JIT fault. The likely attack vector is a malicious webpage or email message that exploits WebAssembly execution in a victim’s browser or email client.

Generated by OpenCVE AI on April 15, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 148 or later and upgrade Thunderbird to version 148 or later.
  • If an immediate upgrade is not feasible, block or disable WebAssembly execution (for example, by turning off the "javascript.options.wasm" preference or using group policy to disable WebAssembly).
  • Maintain updated antivirus, intrusion detection and application whitelisting controls to detect any anomalous activity that could indicate exploitation of this flaw.

Generated by OpenCVE AI on April 15, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148. JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148. JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
References

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148.
Title JIT miscompilation in the JavaScript: WebAssembly component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:54:13.816Z

Reserved: 2026-02-19T15:06:43.289Z

Link: CVE-2026-2796

cve-icon Vulnrichment

Updated: 2026-02-27T20:49:11.113Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:28.100

Modified: 2026-04-13T15:17:28.997

Link: CVE-2026-2796

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-24T13:33:26Z

Links: CVE-2026-2796 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses