Is Thunderbird affected by CVE-2025-8028?

CVE-2025-8028 is a critical vulnerability in Firefox, Firefox ESR, and Thunderbird's WebAssembly JIT compiler on ARM64 systems that allows unauthenticated remote code execution with no user interaction required.

CVE-2025-8028

Q: How to fix CVE-2025-8028?

Within 24 hours: Identify all Firefox, Firefox ESR, and Thunderbird installations on ARM64 architectures (Apple Silicon Macs, ARM-based Linux systems) using your endpoint management tools and flag for priority patching. Within 7 days: Deploy Firefox 141+, Firefox ESR 115.26/128.13/140.1+, and Thunderbird 141/128.13/140.1+ across all affected ARM64 systems using automated update mechanisms or MDM. Within 30 days: Verify patch deployment completion via compliance reporting and confirm all ARM64 systems are running patched versions.

CRITICAL

2025-07-22 [email protected]

Mozilla Information Disclosure Thunderbird Redhat Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 13, 2026 - 15:39 vuln.today

DescriptionNVD

On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

AnalysisAI

WebAssembly JIT compiler on ARM64 architectures incorrectly calculates branch addresses when processing WASM br_table instructions with numerous entries, enabling remote code execution in Firefox <141, Firefox ESR <115.26/128.13/140.1, and Thunderbird <141/128.13/140.1. The vulnerability requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), allowing network-based attackers to potentially execute arbitrary code through malicious WASM content. Vendor-released patches are available across all affected product lines. No public exploit identified at time of analysis, though the CVSS 9.8 critical rating reflects the theoretical severity of unauthenticated remote code execution.

Vendor StatusVendor

CVE-2025-8028 vulnerability details – vuln.today

Back

CVE-2025-8028

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Vendor StatusVendor

Share

External POC / Exploit Code