CVE-2025-8028
Published: 22 July 2025
Summary
CVE-2025-8028 is a critical-severity Improper Handling of Faults that Lead to Instruction Skips (CWE-1332) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-8028 by requiring timely remediation through vendor patches that fix the WASM br_table truncation and incorrect branch address computation in Firefox and Thunderbird on arm64.
Identifies systems with vulnerable browser versions affected by the arm64-specific WASM engine flaw via automated vulnerability scanning.
Ensures timely awareness of the CVE through receiving and disseminating Mozilla security advisories (MFSA 2025-56), facilitating rapid patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables drive-by browser exploitation via malicious WASM page (T1189), direct client-side code execution via crafted br_table (T1203), and sandbox escape for privilege escalation (T1068).
NVD Description
On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability was fixed in Firefox 141, Firefox ESR…
more
115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
Deeper analysisAI
CVE-2025-8028 is a critical vulnerability in the WebAssembly (WASM) engine of Mozilla Firefox and Thunderbird browsers, specifically affecting arm64 architectures. The issue arises when processing a WASM `br_table` instruction with a large number of entries, causing the label distance from the instruction to exceed limits, resulting in truncation and incorrect computation of the branch target address. This flaw, classified under CWE-1332 (Incorrect Branch Target), impacts versions of Firefox prior to 141, Firefox ESR prior to 115.26, 128.13, and 140.1, as well as Thunderbird prior to 141, 128.13, and 140.1. It carries a CVSS v3.1 base score of 9.8, indicating high severity due to its potential for confidentially, integrity, and availability impacts.
A remote attacker can exploit this vulnerability without privileges or user interaction by tricking a victim into loading a malicious webpage containing specially crafted WASM code. On vulnerable arm64 systems running affected browser versions, the flawed branch computation enables arbitrary code execution within the browser's sandbox, potentially leading to full compromise of the user's system through escalation beyond the sandbox.
Mozilla's security advisories (MFSA 2025-56 through 59) and the associated Bugzilla entry confirm the vulnerability has been patched in the listed Firefox and Thunderbird versions. Security practitioners should prioritize updating affected browsers on arm64 platforms, such as Apple Silicon Macs or ARM-based Linux systems, to mitigate exploitation risks.
Details
- CWE(s)