CRITICAL🇵🇱 Wersja polska

CVE-2025-14330

CVSS 9.8v3.1pub. 2025-12-09upd. 2026-04-13

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

🤖 AI Analysis
How it works

The flaw affects the JIT component of the JavaScript engine, which compiles script code into machine instructions to accelerate execution. Incorrect compilation (miscompilation) can cause memory management errors, including buffer overflow (CWE-119), use of incorrect data types (CWE-843 — type confusion), and function call errors with incorrect argument types (CWE-686). An attacker can supply specially crafted JavaScript code which, after JIT compilation, generates incorrect instructions leading to arbitrary code execution.

Impact

A remote, unauthenticated attacker can potentially execute arbitrary code (RCE) in the context of the browser process or mail client, which may result in complete takeover of the application and compromise of the victim's system.

Mitigation & patch

The software must be immediately updated to Firefox 146, Firefox ESR 140.6, Thunderbird 146, or Thunderbird 140.6, in which the vulnerability has been removed. Detailed information is available in Mozilla security advisories at mfsa2025-92, mfsa2025-94, mfsa2025-95, and mfsa2025-96.

Who is affected

Mozilla Firefox prior to version 146, Mozilla Firefox ESR prior to version 140.6, Mozilla Thunderbird prior to version 146, and Mozilla Thunderbird ESR prior to version 140.6.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 140.6.0< 146.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.6.0< 146.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...