Firefox JavaScript/WebAssembly invalid pointer with public exploit code
An invalid-pointer flaw in Firefox's JavaScript / WebAssembly component. Mozilla notes exploit code is public but no in-the-wild attacks are confirmed. Fixed in Firefox 152.0.6.
- Vendor
- Mozilla
- Product
- Firefox (pre-152.0.6)
- CVSS
- 4.3
- EPSS (exploit probability)
- N/A
- Status
- patched
- Published
CVE-2026-15718 is an invalid-pointer bug in Firefox’s JavaScript / WebAssembly component. Mozilla’s advisory carries the notable language “We are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw.” NVD scores the bug 4.3 (medium) — Mozilla’s warning about public exploit code is what warrants the patch urgency, not the base score.
The fix ships in Firefox 152.0.6. Managed Firefox deployments should be force-relaunched — Firefox does not swap the running process to the patched build until the browser restarts, and users routinely leave it open for weeks. See the Mozilla Foundation Security Advisories index for the corresponding MFSA.
Full coverage of this and the concurrent Chrome and Adobe releases: Firefox exploit code public; Chrome, Adobe patch same day.
