CVE-2025-14325
Description
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A high-severity JIT miscompilation in Mozilla products could allow arbitrary code execution; patched in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
CVE-2025-14325 is a high-severity vulnerability in the JavaScript Engine's JIT component of Mozilla Firefox, Firefox ESR, and Thunderbird. The flaw is a JIT miscompilation that can lead to memory corruption, potentially allowing an attacker to execute arbitrary code [1][2][3][4]. This bug was reported by zx and is tracked as Bug 1998050.
Exploitation requires the ability to execute JavaScript, typically by convincing a user to visit a malicious web page. In the Thunderbird product, scripting is disabled when reading mail, so the vulnerability is not exploitable through email; however, it remains a risk in browser or browser-like contexts [1][3]. No special privileges or network access beyond user interaction are needed.
Successful exploitation could allow an attacker to run arbitrary code in the context of the affected application, potentially leading to system compromise, data theft, or further attacks.
The vulnerability is patched in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6 [2][4][1][3]. Users are strongly advised to update to these versions or later to mitigate the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <146.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.6.0
- (no CPE)range: <146
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <146.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.6.0
- (no CPE)range: <146
- Range: <140.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2025-92/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-94/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-95/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-96/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdIssue TrackingPermissions Required
News mentions
0No linked articles in our index yet.