Description
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3.
Published: 2026-05-12
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that a use‑after‑free bug in Mozilla Firefox’s JavaScript WebAssembly component allows an attacker to reference memory that has already been freed, potentially corrupting the execution flow of the browser. If triggered by malicious WebAssembly code embedded in a web page, the flaw can lead to arbitrary code execution or memory corruption, compromising the confidentiality, integrity or availability of the affected user’s system.

Affected Systems

Mozilla Firefox. All versions released before 150.0.3 are affected; the vulnerability was addressed in Firefox 150.0.3 and later.

Risk and Exploitability

The CVSS score is 7.3 and the EPSS score is < 1%, indicating a very low probability of exploitation in current real‑world scenarios. The vulnerability is not listed in CISA KEV. While the use‑after‑free flaw can enable arbitrary code execution if triggered by malicious WebAssembly code, the low EPSS suggests that exploitation is unlikely at present, yet the potential impact remains high, warranting prompt mitigation.

Generated by OpenCVE AI on May 20, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 150.0.3 or any newer release that contains the fix.
  • If an upgrade cannot be performed immediately, block or disable WebAssembly on untrusted sites by configuring the browser’s policy settings or by enforcing stricter content‑security‑policy directives.
  • Continue to monitor Mozilla’s security advisories for further updates and apply any additional mitigations that may be recommended as part of future releases.

Generated by OpenCVE AI on May 20, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 12 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3.
Title Use-after-free in the JavaScript: WebAssembly component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-13T18:30:14.904Z

Reserved: 2026-05-12T12:36:13.277Z

Link: CVE-2026-8390

cve-icon Vulnrichment

Updated: 2026-05-13T18:30:05.899Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T14:17:12.050

Modified: 2026-05-14T18:53:56.003

Link: CVE-2026-8390

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-12T12:36:13Z

Links: CVE-2026-8390 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T02:30:05Z

Weaknesses