CVE-2026-8389

HIGH

JIT miscompilation in the JavaScript Engine: JIT component

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-8389. PoCs published by crixpwn.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-8389, targeting a SpiderMonkey BaselineJIT vulnerability where a 28-bit bitfield truncation leads to type confusion and RCE. The exploit includes a server, primer, and payload to demonstrate the vulnerability.

Description

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.

Exploits (1)

github WORKING POC 1 stars
by crixpwn · htmlpoc
https://github.com/crixpwn/CVE-2026-8389

This repository contains a functional exploit for CVE-2026-8389, targeting a SpiderMonkey BaselineJIT vulnerability where a 28-bit bitfield truncation leads to type confusion and RCE. The exploit includes a server, primer, and payload to demonstrate the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox (SpiderMonkey JIT engine)
No auth needed
Prerequisites: Victim must visit a malicious webpage · JavaScript execution enabled
mistral-large-3 · analyzed Jun 04, 2026 Full analysis →

Scores

CVSS v3 8.8
EPSS 0.0033
EPSS Percentile 25.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-119 CWE-686 CWE-733 CWE-843
Status published
Products (2)
mozilla/firefox < 150.0.3
Mozilla/Firefox 150.0.3
Published May 12, 2026
Tracked Since May 12, 2026