A critical flaw in the JavaScript Just-In-Time (JIT) compiler of Mozilla Firefox and Thunderbird allows unauthenticated attackers to execute arbitrary code on target systems.

This vulnerability involves a JIT miscompilation within the JavaScript Engine. An unauthenticated attacker can exploit this by serving a malicious script that triggers an incorrect compilation path, leading to memory corruption and code execution.

This vulnerability enables Remote Code Execution (RCE), which could result in a total loss of system integrity and confidentiality. Attackers can leverage this to steal session cookies, access local files, or deploy ransomware. The CVSS score of 9.8 indicates that this is a highly critical threat that requires immediate remediation.

Immediate Action: Update Firefox and Thunderbird to version 149 or the latest available ESR releases to patch the JavaScript Engine.

Proactive Monitoring: Monitor for anomalous JavaScript execution patterns and high CPU usage by browser processes, which may indicate exploitation attempts.

Compensating Controls: Disable JIT compilation via browser configuration if updates cannot be applied immediately, though this will significantly impact performance.

Public Exploit Available: No

The risk of remote code execution via the JavaScript engine is a top-tier security concern. We strongly recommend that all organizations apply the vendor-provided patches immediately to mitigate the risk of unauthenticated attacks targeting end-users.