CVE-2025-8027

MEDIUM
2025-07-22 [email protected]
Mozilla Information Disclosure Thunderbird Redhat Suse
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:44 vuln.today

DescriptionNVD

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

AnalysisAI

Information disclosure in Mozilla Firefox and Thunderbird on 64-bit platforms allows remote attackers to leak sensitive memory contents via specially crafted web content. The IonMonkey JIT compiler writes only 32 bits of the 64-bit return value space on the stack, while the Baseline JIT reads the entire 64 bits, exposing uninitialized stack memory. Exploitation requires user interaction (UI:R) and no authentication. Fixes are available: Firefox 141+, Firefox ESR 115.26+, Firefox ESR 128.13+, Firefox ESR 140.1+, Thunderbird 141+, Thunderbird 128.13+, and Thunderbird 140.1+.

Technical ContextAI

This vulnerability exploits a discrepancy between two JIT compilers in Firefox's JavaScript engine. IonMonkey (the optimizing JIT) and Baseline JIT (the baseline compilation tier) handle 64-bit return values differently on 64-bit architectures. When IonMonkey generates code for function returns, it writes only the lower 32 bits to the stack, leaving the upper 32 bits uninitialized. When Baseline JIT subsequently reads the full 64-bit value, it retrieves both the intended lower 32 bits and whatever garbage data occupied the upper 32 bits of that stack location. This falls under CWE-457 (Use of Uninitialized Variable), a memory safety issue where uninitialized data can leak sensitive information such as cryptographic keys, ASLR bypass data, or other process memory. The vulnerability is specific to 64-bit platforms where 64-bit operations are common in JIT-compiled code. CPE references indicate impact across Firefox stable and ESR branches, as well as Thunderbird stable and ESR branches.

RemediationAI

Update Mozilla Firefox to version 141 or later, or to the latest available ESR version (115.26, 128.13, or 140.1 depending on your ESR channel). Update Mozilla Thunderbird to version 141 or later, or to the latest available ESR version (128.13 or 140.1 depending on your ESR channel). These patched versions correct the JIT compiler discrepancy by ensuring IonMonkey writes the full 64-bit return value. Users should apply updates immediately via the application's automatic update mechanism or by downloading the latest version from mozilla.org. Check Mozilla security advisories at https://www.mozilla.org/security/advisories/mfsa2025-56/ and related MFSA pages for your specific product and ESR channel. No workaround is available for users unable to update; the vulnerability requires patched JIT compiler code.

Vendor StatusVendor

Share

CVE-2025-8027 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy