CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. This can potentially cause them to be treated as a different type. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
Security readout for executives and security teams
Plain-English summary
This is a high-severity Mozilla issue where Firefox or Thunderbird on 64-bit systems could mishandle WebAssembly return values. A user would need to interact with malicious network-delivered content. Mozilla fixed it in Firefox 136, ESR 115.21, ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
Executive priority
Prioritize routine emergency patching for browsers and mail clients because exposure is user-facing and network-reachable. Treat this as high urgency for endpoint fleets, but not as confirmed exploitation based on the provided sources.
Technical view
The JIT compiler for WASM i32 returns on 64-bit CPUs could retain stale higher-order bits from prior memory. Mozilla says this may cause values to be treated as a different type, creating corruption with low confidentiality and integrity impact and high availability impact under CVSS 3.1.
Likely exposure
Exposure is likely where managed or unmanaged endpoints run affected Mozilla Firefox or Thunderbird builds before the fixed releases, especially 64-bit desktops receiving web or email content. The bundle does not identify specific operating systems beyond Debian LTS advisory coverage.
Exploitation context
The CVSS vector indicates remote network delivery, low attack complexity, no privileges, and required user interaction. The provided bundle does not show CISA KEV listing or other evidence of active exploitation, so active exploitation should not be assumed.
Researcher notes
Focus validation on 64-bit Mozilla JIT handling of WebAssembly i32 returns and stale-bit corruption. Mozilla’s description supports potential type confusion, but the bundle does not provide public exploit details, proof-of-concept status, or deeper root-cause material.
Mitigation direction
Upgrade Firefox to 136, ESR 115.21, ESR 128.8, or later supported releases.
Upgrade Thunderbird to 136, 128.8, or later supported releases.
Apply relevant Debian LTS Mozilla package updates where Debian systems are in scope.
If updates are blocked, check Mozilla and distribution advisories for supported guidance.
Validation and detection
Inventory Firefox and Thunderbird versions across endpoint management and software asset tools.
Confirm systems are no longer running Mozilla builds earlier than the fixed versions.
Check Debian LTS systems for the referenced March 2025 security updates.
Review browser and mail client patch compliance for unmanaged 64-bit endpoints.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-1933 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.