{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8027", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-07-22T10:13:47.266Z", "datePublished": "2025-07-22T20:49:24.039Z", "dateUpdated": "2026-04-13T14:26:46.624Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "115.26", "lessThanOrEqual": "115.*", "versionType": "rpm"}, {"status": "unaffected", "version": "128.13", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "140.1", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "141", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.13", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "140.1", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "141", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1."}]}], "title": "JavaScript engine only wrote partial return value to stack", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1968423"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-57/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-58/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-59/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-61/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-62/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-63/"}], "credits": [{"lang": "en", "value": "Nan Wang"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:46.624Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-457", "lang": "en", "description": "CWE-457 Use of Uninitialized Variable"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-07-23T13:42:23.408460Z", "id": "CVE-2025-8027", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T13:46:28.122Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:07:44.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:07:44.121Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-8027", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-23T13:42:23.408460Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-457", "description": "CWE-457 Use of Uninitialized Variable"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T13:43:39.921Z"}}], "cna": {"title": "JavaScript engine only wrote partial return value to stack", "credits": [{"lang": "en", "value": "Nan Wang"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "115.26", "versionType": "rpm", "lessThanOrEqual": "115.*"}, {"status": "unaffected", "version": "128.13", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "140.1", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "141", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.13", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "140.1", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "141", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1968423"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-57/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-58/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-59/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-61/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-62/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-63/"}], "descriptions": [{"lang": "en", "value": "On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.", "supportingMedia": [{"type": "text/html", "value": "On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:46.624Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8027", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:26:46.624Z", "dateReserved": "2025-07-22T10:13:47.266Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-07-22T20:49:24.039Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "D697EDEE-5DF4-4FC2-8128-BC9DC23EFFF3", "versionEndExcluding": "115.26.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "8684A46E-D70A-4830-8971-A6DCC360F422", "versionEndExcluding": "141.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "A621920F-5B71-403D-B8F9-EC22F249CD4C", "versionEndExcluding": "128.13.0", "versionStartIncluding": "128.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "BB48C2EF-A6AC-4445-9417-1B65D5BC509B", "versionEndExcluding": "140.1.0", "versionStartIncluding": "140.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "B9BB9B0C-2B49-44EA-9BED-241A8CE8794E", "versionEndExcluding": "128.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "95D506DD-BD9B-4D90-802F-5BE673F1CF14", "versionEndExcluding": "141.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "8CE266C2-5AF1-4C57-9B7C-47039FF06384", "versionEndExcluding": "140.1.0", "versionStartIncluding": "140.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1."}, {"lang": "es", "value": "En plataformas de 64 bits, IonMonkey-JIT solo escrib\u00eda 32 bits del espacio de valor de retorno de 64 bits en la pila. Sin embargo, Baseline-JIT le\u00eda los 64 bits completos. Esta vulnerabilidad afecta a Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13 y Thunderbird < 140.1."}], "id": "CVE-2025-8027", "lastModified": "2026-04-13T15:17:08.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-07-22T21:15:49.830", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1968423"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-57/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-58/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-59/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-61/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-62/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-63/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-457"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:11797", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "firefox-0:128.13.0-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-07-28T00:00:00Z"}, {"advisory": "RHSA-2025:11747", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.13.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-07-24T00:00:00Z"}, {"advisory": "RHSA-2025:11748", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.13.0-1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-07-24T00:00:00Z"}], "bugzilla": {"description": "firefox: thunderbird: JavaScript engine only wrote partial return value to stack", "id": "2382707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2382707"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-457", "details": ["On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.", "A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue:\nOn 64-bit platforms, IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, reads the entire 64 bits."], "name": "CVE-2025-8027", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/thunderbird-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-07-22T20:49:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8027\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8027\nhttps://www.mozilla.org/security/advisories/mfsa2025-58/#CVE-2025-8027\nhttps://www.mozilla.org/security/advisories/mfsa2025-62/#CVE-2025-8027"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-22T01:03:12.624086+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to\u202f141 or a later ESR release (115.26,\u202f128.13,\u202f140.1) and upgrade Thunderbird to\u202f141 or a later ESR release (128.13,\u202f140.1).", "Restart the updated browsers or mail client to ensure the patched binaries are running.", "Restrict or disable third\u2011party extensions or scripts that inject JavaScript until the update is applied."], "summary": {"action": "Apply patch", "impact": "Partial stack value write in IonMonkey-JIT on 64-bit platforms"}, "threat_synthesis": {"affected_systems": "The issue affects Mozilla Firefox and Thunderbird running on 64\u2011bit operating systems. Versions before the security updates are impacted: Firefox 141 and earlier, as well as the Firefox ESR releases 115.26, 128.13, and 140.1; and Thunderbird 141 and earlier, together with the Thunderbird ESR releases 128.13 and 140.1.", "description_and_impact": "On 64\u2011bit platforms the IonMonkey JavaScript JIT writes only half of the 64\u2011bit return value onto the stack, while the baseline JIT reads the full 64 bits. This mismatch causes the return value that is read to not match what was written, potentially leading to inconsistent or incorrect behavior during script execution.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, and an EPSS score of <\u202f1\u202f% suggests a very low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Likely attackers would need to inject or execute malicious JavaScript within the browser or mail client to trigger the IonMonkey JIT\u2019s truncated write. No publicly disclosed exploits are available for this issue."}}}}, "created": "2025-07-23T17:35:59.003889+00:00", "updated": "2026-04-22T01:15:07.299879+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr", "mozilla$PRODUCT$thunderbird"]}