WASM Instruction Truncation in Firefox and Thunderbird
CVE-2025-8028

Currently unrated

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 22 July 2025

What is CVE-2025-8028?

A flaw exists in the WebAssembly (WASM) implementation on arm64 architecture in Firefox and Thunderbird. The vulnerability arises from the potential for a br_table instruction containing numerous entries, which may result in the associated label being positioned too far from the instruction itself. This misalignment can lead to truncation, resulting in incorrect computation of the branch address, ultimately compromising the stability and reliability of the applications.

Affected Version(s)

Firefox < 141

Firefox ESR < 115.26

Firefox ESR < 128.13

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1971581

https://www.mozilla.org/security/advisories/mfsa2025-56/

https://www.mozilla.org/security/advisories/mfsa2025-57/

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 22, 2025
Vulnerability Reserved
Jul 22, 2025

Credit

Gary Kwong

Mozilla

What is CVE-2025-8028?

Affected Version(s)

References

Timeline

Credit