LiveActive security incident?Get immediate response
CVE Record

CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs

On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. This can potentially cause them to be treated as a different type. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.

HighCVSS 7.6Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This is a high-severity Mozilla issue where Firefox or Thunderbird on 64-bit systems could mishandle WebAssembly return values. A user would need to interact with malicious network-delivered content. Mozilla fixed it in Firefox 136, ESR 115.21, ESR 128.8, Thunderbird 136, and Thunderbird 128.8.

Executive priority

Prioritize routine emergency patching for browsers and mail clients because exposure is user-facing and network-reachable. Treat this as high urgency for endpoint fleets, but not as confirmed exploitation based on the provided sources.

Technical view

The JIT compiler for WASM i32 returns on 64-bit CPUs could retain stale higher-order bits from prior memory. Mozilla says this may cause values to be treated as a different type, creating corruption with low confidentiality and integrity impact and high availability impact under CVSS 3.1.

Likely exposure

Exposure is likely where managed or unmanaged endpoints run affected Mozilla Firefox or Thunderbird builds before the fixed releases, especially 64-bit desktops receiving web or email content. The bundle does not identify specific operating systems beyond Debian LTS advisory coverage.

Exploitation context

The CVSS vector indicates remote network delivery, low attack complexity, no privileges, and required user interaction. The provided bundle does not show CISA KEV listing or other evidence of active exploitation, so active exploitation should not be assumed.

Researcher notes

Focus validation on 64-bit Mozilla JIT handling of WebAssembly i32 returns and stale-bit corruption. Mozilla’s description supports potential type confusion, but the bundle does not provide public exploit details, proof-of-concept status, or deeper root-cause material.

Mitigation direction

  • Upgrade Firefox to 136, ESR 115.21, ESR 128.8, or later supported releases.
  • Upgrade Thunderbird to 136, 128.8, or later supported releases.
  • Apply relevant Debian LTS Mozilla package updates where Debian systems are in scope.
  • If updates are blocked, check Mozilla and distribution advisories for supported guidance.

Validation and detection

  • Inventory Firefox and Thunderbird versions across endpoint management and software asset tools.
  • Confirm systems are no longer running Mozilla builds earlier than the fixed versions.
  • Check Debian LTS systems for the referenced March 2025 security updates.
  • Review browser and mail client patch compliance for unmanaged 64-bit endpoints.
Prepared
Confidence
high
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-1933 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.6 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.6CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H2.84.7CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

7.6High
CVSS 3.1 vector shape for CVE-2025-1933Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
MozillaFirefox115.21, 128.8, 136Listed
MozillaThunderbird128.8, 136Listed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.