Vulnerability Description
On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 115.26.0 |
| Mozilla | Thunderbird | < 128.13.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1971581Permissions Required
- https://www.mozilla.org/security/advisories/mfsa2025-56/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-57/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-58/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-59/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-61/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-62/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-63/Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html
FAQ
What is CVE-2025-8028?
CVE-2025-8028 is a vulnerability with a CVSS score of 9.8 (CRITICAL). On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulner...
How severe is CVE-2025-8028?
CVE-2025-8028 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-8028?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Thunderbird.