CVE-2025-8028 Overview
CVE-2025-8028 is a critical vulnerability affecting Mozilla Firefox and Thunderbird on arm64 architecture systems. The vulnerability exists in the WebAssembly (WASM) engine's handling of br_table instructions. When a br_table instruction contains a large number of entries, the label offset can become too far from the instruction, leading to truncation and incorrect computation of the branch address. This improper numeric truncation can result in arbitrary code execution, allowing attackers to potentially compromise affected systems through maliciously crafted WebAssembly content.
Critical Impact
Remote attackers can exploit this vulnerability via malicious WebAssembly code to achieve arbitrary code execution without user interaction, potentially leading to complete system compromise on arm64 devices.
Affected Products
- Mozilla Firefox versions prior to 141
- Mozilla Firefox ESR versions prior to 115.26, 128.13, and 140.1
- Mozilla Thunderbird versions prior to 141, 128.13, and 140.1
Discovery Timeline
- July 22, 2025 - CVE-2025-8028 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-8028
Vulnerability Analysis
This vulnerability is classified under CWE-1332 (Improper Handling of Faults that Lead to Instruction Skips). The issue arises in the arm64-specific code generation for WebAssembly's br_table instruction, which implements a multi-way branch similar to a switch statement in higher-level languages.
On arm64 architecture, branch instructions have limited displacement ranges. When a br_table contains many entries, the compiled code grows large enough that the branch target labels exceed the maximum displacement that can be encoded in the instruction. Rather than properly handling this case, the Firefox/Thunderbird JIT compiler truncates the displacement value, resulting in an incorrect branch target address being computed at runtime.
This truncation can cause execution to jump to an unintended location in memory, potentially allowing an attacker to redirect control flow to attacker-controlled data or code. Since WebAssembly is commonly used for performance-critical web applications and can be loaded from any website, this creates a significant attack surface for remote exploitation.
Root Cause
The root cause is improper handling of large displacement values in the arm64 WebAssembly JIT compiler. When generating machine code for br_table instructions with numerous entries, the compiler fails to account for the arm64 architecture's branch instruction displacement limits. The branch offset is stored in a fixed-size field that cannot represent large values, causing numeric truncation when the table entries push labels beyond the representable range.
Attack Vector
The vulnerability is exploitable over the network through malicious web content. An attacker can craft a WebAssembly module containing a br_table instruction with a carefully calculated number of entries designed to trigger the truncation condition. When a victim visits a malicious webpage or receives a crafted email in Thunderbird that loads this WebAssembly content, the truncated branch address can redirect execution to an attacker-controlled location.
The attack requires no user interaction beyond visiting a malicious page, and the attacker needs no special privileges. The vulnerability specifically affects arm64 systems, which includes many mobile devices, Apple Silicon Macs, and ARM-based servers and desktops.
Detection Methods for CVE-2025-8028
Indicators of Compromise
- Unusual WebAssembly modules with abnormally large br_table instructions being loaded in browser processes
- Unexpected crashes or memory corruption events in Firefox or Thunderbird processes on arm64 systems
- Browser processes exhibiting anomalous behavior following WebAssembly execution
Detection Strategies
- Monitor for Firefox and Thunderbird processes loading WebAssembly content with unusually large function bodies on arm64 systems
- Implement network-level inspection for WebAssembly modules containing large br_table constructs
- Deploy endpoint detection solutions capable of identifying exploitation attempts targeting browser JIT engines
Monitoring Recommendations
- Enable crash reporting and monitor for patterns consistent with JIT-related failures on arm64 devices
- Utilize SentinelOne's behavioral AI to detect anomalous process behavior following browser-based code execution
- Audit browser extension and content security policies to minimize exposure to untrusted WebAssembly content
How to Mitigate CVE-2025-8028
Immediate Actions Required
- Update Mozilla Firefox to version 141 or later immediately
- Update Firefox ESR to version 115.26, 128.13, or 140.1 depending on your ESR track
- Update Mozilla Thunderbird to version 141, 128.13, or 140.1 depending on your release track
- Prioritize updates for arm64 systems as they are specifically affected by this vulnerability
Patch Information
Mozilla has released security patches addressing this vulnerability across multiple product versions. Detailed information is available in the following security advisories:
- Mozilla Security Advisory MFSA-2025-56
- Mozilla Security Advisory MFSA-2025-57
- Mozilla Security Advisory MFSA-2025-58
- Mozilla Security Advisory MFSA-2025-59
- Mozilla Security Advisory MFSA-2025-61
- Mozilla Security Advisory MFSA-2025-62
- Mozilla Security Advisory MFSA-2025-63
Additional technical details are tracked in Mozilla Bug Report #1971581. Debian users should refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Disable WebAssembly in Firefox by navigating to about:config and setting javascript.options.wasm to false (note: this may break functionality on some websites)
- Implement content security policies that restrict WebAssembly execution to trusted sources
- Use enterprise management tools to enforce browser updates across your organization
- Consider temporary use of alternative browsers on arm64 systems until patches can be applied
# Firefox configuration to disable WebAssembly (temporary workaround)
# Add to user.js or set via about:config
user_pref("javascript.options.wasm", false);
user_pref("javascript.options.wasm_baselinejit", false);
user_pref("javascript.options.wasm_optimizingjit", false);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
