Cyber Resilience

CVE-2025-8028

Critical

Published: 22 July 2025

Published
22 July 2025
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0078 74.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8028 is a critical-severity Improper Handling of Faults that Lead to Instruction Skips (CWE-1332) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 25.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-8028 is a critical vulnerability in the WebAssembly (WASM) engine of Mozilla Firefox and Thunderbird browsers, specifically affecting arm64 architectures. The issue arises when processing a WASM `br_table` instruction with a large number of entries, causing the label distance from the instruction to exceed limits, resulting in truncation and incorrect computation of the branch target address. This flaw, classified under CWE-1332 (Incorrect Branch Target), impacts versions of Firefox prior to 141, Firefox ESR prior to 115.26, 128.13, and 140.1, as well as Thunderbird prior to 141, 128.13, and 140.1. It carries a CVSS v3.1 base score of 9.8, indicating high severity due to its potential for confidentially, integrity, and availability impacts.

A remote attacker can exploit this vulnerability without privileges or user interaction by tricking a victim into loading a malicious webpage containing specially crafted WASM code. On vulnerable arm64 systems running affected browser versions, the flawed branch computation enables arbitrary code execution within the browser's sandbox, potentially leading to full compromise of the user's system through escalation beyond the sandbox.

Mozilla's security advisories (MFSA 2025-56 through 59) and the associated Bugzilla entry confirm the vulnerability has been patched in the listed Firefox and Thunderbird versions. Security practitioners should prioritize updating affected browsers on arm64 platforms, such as Apple Silicon Macs or ARM-based Linux systems, to mitigate exploitation risks.

EU & UK References

Vulnerability details

On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability was fixed in Firefox 141, Firefox ESR…

more

115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vuln enables drive-by browser exploitation via malicious WASM page (T1189), direct client-side code execution via crafted br_table (T1203), and sandbox escape for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0878Same product: Mozilla Firefox
CVE-2026-0880Same product: Mozilla Firefox
CVE-2026-2760Same product: Mozilla Firefox
CVE-2026-2778Same product: Mozilla Firefox
CVE-2026-2761Same product: Mozilla Firefox
CVE-2026-2758Same product: Mozilla Firefox
CVE-2026-8962Same product: Mozilla Firefox
CVE-2026-2790Same product: Mozilla Firefox
CVE-2026-2793Same product: Mozilla Firefox
CVE-2026-4720Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 115.26.0 · ≤ 141.0 · 128.0 — 128.13.0
mozilla
thunderbird
≤ 128.13.0 · ≤ 141.0 · 140.0 — 140.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-8028 by requiring timely remediation through vendor patches that fix the WASM br_table truncation and incorrect branch address computation in Firefox and Thunderbird on arm64.

detect

Identifies systems with vulnerable browser versions affected by the arm64-specific WASM engine flaw via automated vulnerability scanning.

detect

Ensures timely awareness of the CVE through receiving and disseminating Mozilla security advisories (MFSA 2025-56), facilitating rapid patching.

References