CRITICAL🇵🇱 Wersja polska

CVE-2026-4698

CVSS 9.8v3.1pub. 2026-03-24upd. 2026-06-30

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

🤖 AI Analysis
How it works

The JIT (Just-In-Time compilation) component of the JavaScript engine performs incorrect code compilation, leading to a situation where a memory value is interpreted as a different type than what was actually assigned to it (type confusion, CWE-843). An attacker can craft malicious JavaScript code and trick the victim into visiting a controlled website or opening a malicious message, which triggers the faulty JIT compilation process. As a result, arbitrary operations can be executed in the context of the browser or email client process.

Impact

An attacker can achieve full remote code execution (RCE) on the victim's machine, potentially gaining the ability to compromise confidentiality, integrity, and availability of the system at the highest level.

Mitigation & patch

Software should be updated immediately to the following versions: Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149 or Thunderbird 140.9, in which the bug has been fixed by the vendor.

Who is affected

Mozilla Firefox versions before 149, Mozilla Firefox ESR versions before 115.34 and before 140.9, Mozilla Thunderbird versions before 149 and before 140.9.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 115.34.0< 149.0128.0 – 140.9.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...