CVE-2026-2796

CRITICAL

Firefox < 148.0 - Type Confusion in JavaScript WebAssembly JIT

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-2796. PoCs published by WostGit.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-2796, demonstrating memory corruption primitives (addrof and fakeobj) in Firefox using WebAssembly (WAT). The exploit leverages WAT text compilation to achieve reliable address leakage and object forgery.

Description

JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

Exploits (2)

nomisec WORKING POC

by WostGit · poc

https://github.com/WostGit/CVE-2026-2796

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-2796, demonstrating memory corruption primitives (addrof and fakeobj) in Firefox using WebAssembly (WAT). The exploit leverages WAT text compilation to achieve reliable address leakage and object forgery.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Firefox 147.0, 148.0.2

No auth needed

Prerequisites: Firefox 147.0 or 148.0.2 · WebAssembly support

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec WORKING POC

by WostGit · poc

https://github.com/WostGit/cve-2026-2796-repro

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-2796, a Wasm JIT type confusion vulnerability in Firefox. The GitHub Actions workflow automates the download of vulnerable Firefox versions and executes a precise reproduction script to demonstrate the vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Firefox < 148.0

No auth needed

Prerequisites: Firefox 147.0 or earlier · WebAssembly support

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Core References

Issue Tracking

https://bugzilla.mozilla.org/show_bug.cgi?id=2013165

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-13/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-16/

Scores

CVSS v3 9.8

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-843

Status published

Products (4)

mozilla/firefox < 148.0

Mozilla/Firefox 148

mozilla/thunderbird < 148.0

Mozilla/Thunderbird 148

Published Feb 24, 2026

Tracked Since Feb 24, 2026