JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
The vulnerability stems from improper compilation of JavaScript code by the JIT (Just-In-Time) component of the JavaScript engine. The JIT compiler transforms JavaScript code into native processor instructions to accelerate execution — faulty compilation can lead to unpredictable memory behavior or unintended machine code execution. Classified as CWE-733 (Improper JIT Compilation), the vulnerability can be triggered by specially crafted JavaScript code delivered, for example, through a malicious website.
An attacker can compromise the confidentiality, integrity, and availability of the system, potentially gaining the ability to execute arbitrary code remotely (RCE) in the context of the victim's browser or email client.
Mozilla Firefox should be updated to version 145 or later, and Mozilla Thunderbird should be updated to version 145 or later. The patch is available through official Mozilla distribution channels.
Mozilla Firefox versions prior to 145 and Mozilla Thunderbird versions prior to 145.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 145.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...