CVE-2025-8028 Overview
CVE-2025-8028 affects Mozilla Firefox and Thunderbird running on arm64 architectures. The vulnerability resides in the WebAssembly (WASM) JIT compiler, where a br_table instruction containing many entries can cause the branch label to sit too far from the instruction. This distance causes truncation of the offset value, resulting in incorrect branch address computation. An attacker who lures a victim to a malicious page can deliver crafted WASM that redirects execution to an attacker-controlled location. Mozilla fixed the issue in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
Critical Impact
Remote attackers can trigger incorrect branch address computation in the WASM JIT on arm64, enabling memory corruption and potential arbitrary code execution within the browser process.
Affected Products
- Mozilla Firefox prior to 141 on arm64
- Mozilla Firefox ESR prior to 115.26, 128.13, and 140.1 on arm64
- Mozilla Thunderbird prior to 141, 128.13, and 140.1 on arm64
Discovery Timeline
- 2025-07-22 - CVE-2025-8028 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2025-8028
Vulnerability Analysis
The flaw is a numeric truncation issue [CWE-1332] in the arm64 code generator for WebAssembly. When the JIT emits a br_table instruction with many entries, the displacement between the branch instruction and its target label can exceed the encodable range of the immediate field. The compiler fails to detect the out-of-range condition and truncates the offset, producing a branch that jumps to an incorrect address. Because the branch target controls execution flow inside compiled WASM code, the resulting condition can corrupt control flow and lead to attacker-influenced execution within the content process.
Root Cause
The root cause is insufficient validation of branch displacement during arm64 code emission for WASM br_table jump tables. The arm64 instruction set encodes branch offsets using a fixed-width immediate. When a br_table contains enough entries to push the label beyond that range, the JIT silently truncates rather than emitting a long-form branch or trampoline. The resulting compiled code computes branch addresses incorrectly.
Attack Vector
Exploitation is remote and requires no authentication or user interaction beyond loading attacker content. An adversary hosts a web page that delivers a specially crafted WebAssembly module containing a br_table with sufficient entries to trigger the truncation. When the victim's arm64 Firefox or Thunderbird (rendering HTML email) compiles the module, the malformed branch is emitted and executed.
No verified public proof-of-concept code has been released. See the Mozilla Bug Report #1971581 and Mozilla Security Advisory MFSA-2025-56 for technical references.
Detection Methods for CVE-2025-8028
Indicators of Compromise
- Unexpected crashes of firefox or thunderbird processes on arm64 hosts, particularly with stack traces involving the WASM baseline or optimizing compiler.
- Outbound connections from browser child processes to unfamiliar domains immediately after rendering pages that load WebAssembly modules.
- Browser content processes spawning shell or scripting interpreters on arm64 endpoints.
Detection Strategies
- Inventory arm64 endpoints (Apple Silicon Macs, Windows on ARM, ARM Linux) running Firefox or Thunderbird and flag versions below the fixed releases.
- Monitor EDR telemetry for anomalous child-process creation or memory allocation patterns originating from browser content processes.
- Inspect web proxy and DNS logs for repeated requests to .wasm resources from low-reputation domains.
Monitoring Recommendations
- Centralize browser version telemetry to confirm patch deployment across the arm64 fleet.
- Alert on Firefox or Thunderbird process crashes correlated with WebAssembly content loads.
- Track newly observed domains delivering WebAssembly payloads against threat intelligence feeds.
How to Mitigate CVE-2025-8028
Immediate Actions Required
- Update Firefox to version 141 or later on all arm64 systems.
- Update Firefox ESR to 115.26, 128.13, or 140.1 depending on the deployed ESR branch.
- Update Thunderbird to 141, 128.13, or 140.1.
- Prioritize patching on Apple Silicon, Windows on ARM, and ARM Linux devices, including server-class arm64 hosts running browser tooling.
Patch Information
Mozilla addressed the issue across multiple advisories: MFSA-2025-56, MFSA-2025-57, MFSA-2025-58, MFSA-2025-59, MFSA-2025-61, MFSA-2025-62, and MFSA-2025-63. Debian users should apply updates referenced in the Debian LTS Announcement.
Workarounds
- Where patching is delayed, disable JavaScript and WebAssembly execution for untrusted origins using enterprise policies or the javascript.options.wasm preference set to false in about:config.
- Restrict browsing on unpatched arm64 hosts to trusted internal sites through proxy enforcement.
- Enforce content filtering that blocks application/wasm responses from uncategorized or low-reputation domains until patches are applied.
# Disable WebAssembly via Firefox enterprise policy (policies.json)
{
"policies": {
"Preferences": {
"javascript.options.wasm": {
"Value": false,
"Status": "locked"
}
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

