CVE-2026-2796 is a critical vulnerability in Firefox's JavaScript WebAssembly component caused by JIT miscompilation during WebAssembly import handling. The flaw arises when Firefox optimizes Function.prototype.call.bind wrappers and unwraps the inner target function without verifying that the target function's actual signature matches the WebAssembly import's declared type. During initialization, the unwrapped target is stored for later use, but subsequent exported-function handling can return the underlying WebAssembly function directly without preserving the safer call.bind interop path. This allows one WebAssembly module to treat a function reference as if it had a different signature than the function actually implements. A later call through call_ref can then bypass normal JS interop conversion and cause raw WebAssembly stack values to be interpreted under the wrong type, resulting in type confusion. Public reporting indicates this type confusion can be developed into classical exploitation primitives including address disclosure, fake object creation, arbitrary read, arbitrary write, and ultimately code execution within the JavaScript engine. The issue was fixed in Firefox 148 and Thunderbird 148.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a single-file GitHub Actions-based proof of concept for CVE-2026-2796. It is not a full exploit framework or weaponized exploit; instead, it automates reproduction of a SpiderMonkey/WebAssembly type confusion or optimization bypass condition using Mozilla's standalone js shell. Structure: the repository contains only .github/workflows/blank.yml. That workflow defines a matrix job testing two versions: Firefox 147.0 (expected vulnerable) and 148.0.2 (expected patched). The workflow installs dependencies, downloads the corresponding js shell from Mozilla archive infrastructure, generates a JavaScript PoC on the fly, and executes it. Exploit capability: the generated JavaScript constructs two WebAssembly modules. Module B exports a simple identity function. That function is wrapped with Function.prototype.call.bind, then imported into Module A, which invokes it through a Wasm ref.func/call_ref-related path. The intended effect is to demonstrate that on vulnerable builds the optimization incorrectly bypasses the bound-call semantics and directly invokes the raw Wasm function, returning the original input 1337. On patched builds, argument handling changes and the result is 0. This makes the repository a reproduction PoC for vulnerability verification and regression testing, not a post-exploitation tool. Operationally, the workflow reaches out to archive.mozilla.org and ftp.mozilla.org to fetch jsshell-linux-x86_64.zip, extracts jsshell/js, writes repro-cve-2026-2796.js, and runs it locally. There are no reverse shells, callbacks, credential theft routines, persistence mechanisms, or lateral movement features. The main security-relevant observable behavior is local execution of a crafted Wasm/JavaScript sequence against specific SpiderMonkey builds to confirm vulnerable behavior.
The repository contains a single GitHub Actions workflow, .github/workflows/blank.yml, which serves as the entire proof-of-concept. It is not a traditional standalone exploit program; instead, it automates environment setup, downloads Mozilla's JavaScript shell for Firefox versions 147.0 and 148.0.2, generates a JavaScript file named stage2.js, and executes it. The exploit logic is embedded directly inside the workflow as a heredoc. The JavaScript uses WebAssembly to construct two core exploitation primitives commonly used in browser/JIT/engine exploitation: addrof, which obtains an address-like representation of a JavaScript object, and fakeobj, which attempts to turn an integer/address back into an object reference. It does this by creating WebAssembly modules that reinterpret externref and i64 values through imported/exported function calls and call_ref usage. The script then tests these primitives against a sample object and prints a verdict indicating whether each primitive appears to work. Operationally, this is a proof-of-concept for memory corruption research rather than a complete weaponized exploit. There is no reverse shell, command execution payload, persistence, or post-exploitation logic. Its purpose is to validate whether the targeted engine behavior can produce exploitation building blocks. Because the repository consists only of a CI workflow and generated script, the structure is minimal: one YAML workflow file containing shell commands and embedded JavaScript exploit code.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical Firefox JavaScript/WebAssembly JIT miscompilation vulnerability that can be exploited (in a reduced-security test setup) to achieve arbitrary read/write and code execution via type confusion.
A critical Firefox vulnerability described as a just-in-time (JIT) miscompilation in the JavaScript WebAssembly component.
A vulnerability referenced only by CVE ID in the context of reverse engineering an exploit for it; no additional details are provided in the content.
A now-patched high-severity Firefox vulnerability for which Anthropic reports Claude generated a working exploit in a reduced-security testing environment (not a full-chain sandbox escape).
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.