Mozilla Foundation Security Advisory 2025-57

Security Vulnerabilities fixed in Firefox ESR 115.26

Announced

July 22, 2025

Impact

high

Products

Firefox ESR

Fixed in

Firefox ESR 115.26

#CVE-2025-8027: JavaScript engine only wrote partial return value to stack

Reporter: Nan Wang
Impact: high

Description

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits.

References

Bug 1968423

#CVE-2025-8028: Large branch table could lead to truncated instruction

Reporter: Gary Kwong
Impact: high

Description

On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address.

References

Bug 1971581

#CVE-2025-8033: Incorrect JavaScript state machine for generators

Reporter: Shaheen Fazim
Impact: low

Description

The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref.

References

Bug 1973990

#CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

Reporter: the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog