CVE-2025-8028: 
NixOS vulnerability analysis and mitigation

CVE-2025-8028 is a high-impact vulnerability discovered in Mozilla Firefox and Thunderbird browsers that affects their WebAssembly implementation. The vulnerability was disclosed on July 22, 2025, and affects Firefox versions before 141, Firefox ESR versions before 115.26, 128.13, and 140.1, as well as Thunderbird versions before 141, 128.13, and 140.1. The issue was discovered by Gary Kwong from Mozilla (Mozilla Advisory).

The vulnerability occurs specifically on arm64 architectures where a WebAssembly br_table instruction containing numerous entries could cause the label to be positioned too far from the instruction. This distance leads to truncation and subsequent incorrect computation of the branch address. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) by CISA-ADP, indicating its severe nature (NVD Database).

The vulnerability has been rated as having a high impact. When exploited, the incorrect computation of branch addresses could potentially lead to memory corruption. According to Mozilla's security advisory, this type of vulnerability could potentially be exploited to run arbitrary code on affected systems (Mozilla Advisory).

Mozilla has released patches for this vulnerability in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. Users are strongly advised to update to these versions or later to mitigate the vulnerability (Mozilla Advisory, Red Hat Advisory).