Firefox 150 JIT Boundary Condition Vulnerability in JS Engine
CVE-2026-8388 Published on May 12, 2026
Incorrect boundary conditions in the JavaScript Engine: JIT component
Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
Vulnerability Analysis
CVE-2026-8388 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
What is a Buffer Overflow Vulnerability?
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
CVE-2026-8388 has been classified to as a Buffer Overflow vulnerability or weakness.
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2026-8388 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2026-8388
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-8388 are published in these products:
Affected Versions
Mozilla Firefox:- Version 115.36, <= 115.* is unaffected.
- Version 140.11, <= 140.* is unaffected.
- Version 150.0.3, <= * is unaffected.
- Version 140.11, <= * is unaffected.
- Version 0:140.11.0-1.el10_2 and below * is unaffected.
- Version 0:140.11.0-1.el10_2 and below * is unaffected.
- Version 0:140.11.0-1.el10_0 and below * is unaffected.
- Version 0:140.11.0-1.el10_0 and below * is unaffected.
- Version 0:140.11.0-1.el7_9 and below * is unaffected.
- Version 0:140.11.0-1.el8_10 and below * is unaffected.
- Version 0:140.11.0-1.el8_10 and below * is unaffected.
- Version 0:140.11.0-1.el8_4 and below * is unaffected.
- Version 0:140.11.0-1.el8_4 and below * is unaffected.
- Version 0:140.11.0-1.el8_4 and below * is unaffected.
- Version 0:140.11.0-1.el8_4 and below * is unaffected.
- Version 0:140.11.0-1.el8_6 and below * is unaffected.
- Version 0:140.11.0-1.el8_6 and below * is unaffected.
- Version 0:140.11.0-1.el8_6 and below * is unaffected.
- Version 0:140.11.0-1.el8_6 and below * is unaffected.
- Version 0:140.11.0-1.el8_8 and below * is unaffected.
- Version 0:140.11.0-1.el8_8 and below * is unaffected.
- Version 0:140.11.0-1.el8_8 and below * is unaffected.
- Version 0:140.11.0-1.el8_8 and below * is unaffected.
- Version 0:140.11.0-1.el9_8 and below * is unaffected.
- Version 0:140.11.0-1.el9_8 and below * is unaffected.
- Version 0:140.11.0-1.el9_2 and below * is unaffected.
- Version 0:140.11.0-1.el9_2 and below * is unaffected.
- Version 0:140.11.0-1.el9_4 and below * is unaffected.
- Version 0:140.11.0-1.el9_4 and below * is unaffected.
- Version 0:140.11.0-1.el9_6 and below * is unaffected.
- Version 0:140.11.0-1.el9_6 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.